VIRUS-L Digest Friday, 15 Jul 1994 Volume 7 : Issue 55 Today's Topics: URGENT: SMEG victims sought... (PC) anti virus viruses Re: Benign viruses Parity - B Virus on HPFS Partition (OS/2) Re: OS/2 Viruses? Are there a (OS/2) Re: OS/2 Viruses? Are there a (OS/2) Re: NATAS Virus? (PC) Re: Dr Solomon's on the move! (PC) Re: Budo Virus (PC) Re: Boot sector virus ? (PC) Re: Joshi (PC) Re: false alarm (boot sector changed) by McAfee SCAN ??? (PC) Unknown Virus Attack (PC) How to save a boot sector (PC) Re: New virus found - Evolution 2001 (PC) Re: vbait12.zip - Simple virus bait, detects COM infecting virus (PC) Re: MtE Virus info wanted (PC) Re: New AV software (PC) Re: Need info on "WONDER" virus (PC) Re: unknown virus (PC) Re: Matura (PC) Modified Stoned???? (PC) Re: Best Anti-virus software (PC) Excelent virus program! (PC) Re: dir/reg (PC) (whatever that meant) Re: NAV 2.0 gives false "Maltese Amoeba" alarm (PC) Re: MtE Virus info wanted (PC) Re: antivirus products (PC) Rosenthal Virus Simulator (PC) Re: Why so many Leprosy viruses? (PC) Mosquito Viruses (PC) Re: Killed the Monkey Virus (PC) AVP distributors SMEG Virus Test (PC) ICARO sites WildList for July VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CERT.org or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CERT.org (192.88.209.5). Administrative mail (e.g., comments, suggestions, beer recipes) should be sent to me at: krvw@ASSIST.IMS.DISA.MIL. All submissions should be sent to: VIRUS-L@Lehigh.edu. Ken van Wyk ---------------------------------------------------------------------- Date: 15 Jul 94 13:56:48 +0100 From: virusbtn@vax.oxford.ac.uk Subject: URGENT: SMEG victims sought... (PC) Appeal for Information *** URGENT *** On Wednesday 13/7/94 officers from Devon & Cornwall Constabulary Fraud Squad together with officers from the Computer Crime Unit, New Scotland Yard executed a number of search warrants under the UK Computer Misuse Act in Plymouth. The investigation was in connection with the authorship and distribution of computer viruses known as PATHOGEN, QUEEG and GERM, together with the encryption engine SMEG. 1 man was arrested. He has been bailed to return to a Police Station in Plymouth at a date in November. The investigating officers are appealing for anyone who has suffered an attack by these viruses to contact the Computer Crime Unit at New Scotland Yard on 071 230 1177 (UK) or +44 71 230 1177 (International) Scratch one for the good guys! Please guys, if you have been hit by Pathogen come forward... Regards, Richard Ford Editor, Virus Bulletin ------------------------------ Date: Tue, 05 Jul 94 02:21:46 -0400 From: larsnerd@color.ithaca.ny.us (Lars Friend) Subject: anti virus viruses Has anybody ever concidered that one could construct a virus that tries to stamp out other viruses? It wouldn't have to be sneaky, and it could give the user the option of removing it, and if they said no, it would go about it's buisness. I'm not good enough at that aspect of programming to do it, but I think it might be interesting. If anybody out there has heard of a real exaple, or is interested in the concept as a philosophical matter, please E-mail me. Thnx. ------------------------------ Date: Wed, 06 Jul 94 14:37:12 -0400 From: iandoug@cybernet.za (Ian Douglas) Subject: Re: Benign viruses Matthew Johnson (matjoh@delphi.com) wrote: > A. Padgett Peterson, P.E. Information Se writes: > > >Still have yet to see a virus that does not screw something up (am willing > >to entertain the concept, just have not seen any in practice). Have not even > >had to leave home to find something that every virus I have seen screws up. > > I have found one that doesn't--KOH. It reproduces at your command, encrypts > your HD with a password you give it, if you want, and it has NO bugs.. so far.. Surely you jest? It reproduces even WITHOUT your command - try saying no when it asks to install to the HD. How do you unscramble disks it has scrambled? - -- - ----------------------------------------------------------------------------- Ian Douglas InterNet: iandoug@cybernet.za P.O. Box 484 Lead, Follow, FidoNet: 5:7102/119 7532 Sanlamhof or get out of TopNet: 225:2048/1 South Africa the way. - ----------------------------------------------------------------------------- ------------------------------ Date: 06 Jul 94 12:39:03 +0000 From: tnmanego@rrws1.wiwi.uni-regensburg.de (Thorsten Manegold) Subject: Parity - B Virus on HPFS Partition (OS/2) Hi! McAfee Virusscan f. OS/2 V 2.02 reports a Parity - B Virus of drive D: on my System. I have 2 HD, which are partitioned as follows: 1st HD 1 MB Boot Manager 50 MB OS/2 System; HPFS in ext. Part. assgn. D: 170 MB Apps; HPFS in ext. Part. assgn. E: 10 MB Service HPFS in ext. Part. assgn. F: 2nd HD 120 MB DOS FAT in primary Part. assgn. C: Version 1.15 of Virusscan does not report it. Neither does Scan 2.00 for DOS. So far there seem to be no symptoms of an Infection. So I don't know if there really is a virus there. I'd like to check with other Scanners, therefore could anybody tell me which are good and where to get them? Furthermore if there really is a Virus, how do I go about removing it? If anybody has any suggestions, please send me a privat mail. Thanks ********************************************************** Thorsten Manegold Plattenweg 15; 93055 Regensburg Tel.: (0941) 76 09 49 e-mail: thorsten.manegold@wiwi.uni-regensburg.de ------------------------------ Date: Wed, 06 Jul 94 10:43:03 -0400 From: 3dierks@rzdspc64.informatik.uni-hamburg.de (Joern Dierks) Subject: Re: OS/2 Viruses? Are there a (OS/2) > A [I'd like to know if there are any OS/2 viruses? > I know of one OS/2 virus. > It was published in an issue of 40HEX. This virus is a stupid non > resident direct infector. > I sent this virus to many of the A-V developers, so virtually all > scanners should detect this virus easily. > I have heard that there is another (resident) OS/2 infector, but I > haven't seen this virus, and it may not exist. Currectly, there are two OS/2-viruses: The first one is the 40Hex-virus you already mentioned. It is an overwriting non-resident file-virus. The second is a virus called 'Jiskefet' which is a non-resident file infector, not overwriting however. Both have been analyzed by our OS/2-group. More info will be available in the next version of our virus-database CM-Base. Regards, Joern. - ------------------------------------------------------------------------------ Joern Dierks Virus Test Center Universitaet Hamburg - FB Informatik Vogt-Koelln-Strasse 20 22527 Hamburg e-Mail: 3dierks@fbihh.informatik.uni-hamburg.de - ------------------------------------------------------------------------------ ------------------------------ Date: Wed, 06 Jul 94 14:39:27 -0400 From: iandoug@cybernet.za (Ian Douglas) Subject: Re: OS/2 Viruses? Are there a (OS/2) Bill Lambdin (bill.lambdin@pcohio.com) wrote: > >From AMIR77@TAUNIVM.TAU.AC.IL To ALL on 06-21-94 > A [I'd like to know if there are any OS/2 viruses? > I know of one OS/2 virus. > It was published in an issue of 40HEX. This virus is a stupid non > resident direct infector. > I have heard that there is another (resident) OS/2 infector, but I > haven't seen this virus, and it may not exist. It does. Published in another underground mag. Aristotle told me that a writer sent him the source code for two other OS/2 viruses, which he (Aristotle) had trouble understanding. By deduction from a comment from him (under an alias) in FidoNet, there are at least 4 such viruses. Cheers, Ian - -- - ----------------------------------------------------------------------------- Ian Douglas InterNet: iandoug@cybernet.za P.O. Box 484 Lead, Follow, FidoNet: 5:7102/119 7532 Sanlamhof or get out of TopNet: 225:2048/1 South Africa the way. - ----------------------------------------------------------------------------- ------------------------------ Date: Sun, 03 Jul 94 20:04:21 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: Re: NATAS Virus? (PC) garcia@bkfsu1.sedalia.sinet.slb.com (Geoframe User) writes: >saw fit to release a special version, it must be fairly serious. it is a fairly serious problem in Mexico....not sure if there have been any reports elsewhere....I had to release a special version to deal with it too. - -frisk ------------------------------ Date: Sun, 03 Jul 94 20:05:22 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: Re: Dr Solomon's on the move! (PC) halew@nbnet.nb.ca (R. Wallace Hale) writes: >I've regarded Toolkit as one of the best AV products available and wonder >why there is so little mention of it here, other than in Vesselin's posts. might be because the Toolkit has never sold well in the US....where a very large portion of comp.virus readers are located. However, I agree that it is a good product....and if any of my UK-based customer wants my recommendation on which scanner to use together with F-PROT, I would recommend DSAVTK without hesitation. The scanners are independent, both have a very high detection rate, and there areas where they nicely compliment each other....DSAVTK does a slightly better job of accurate identification (distinguishing between minor variants), but F-PROT does a slightly better job of detecting new variants of old viruses. - -frisk Fridrik Skulason Frisk Software International phone: +354-1-617273 Author of F-PROT E-mail: frisk@complex.is fax: +354-1-617274 ------------------------------ Date: Sun, 03 Jul 94 20:05:01 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: Re: Budo Virus (PC) MICBB@CUNYVM.CUNY.EDU (Dana Antkowiak) writes: > Has anyone else been infected with the Budo (B2) virus? If you have and > have sucessfully cleaned it, There are two Budo viruses, 890 and 1000 bytes long. Those are overwriting viruses, that destroy the programs they infect, so you have to replace them with "clean" copies....dormal disinfection is not possible. However....are you absolutely sure you have this virus ? overwriting viruses like this generally do not spread at all....and I think there were only some isolated instances in Finland of those two viruses. - -frisk Fridrik Skulason Frisk Software International phone: +354-1-617273 Author of F-PROT E-mail: frisk@complex.is fax: +354-1-617274 ------------------------------ Date: Sun, 03 Jul 94 20:05:42 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: Re: Boot sector virus ? (PC) berek@xmission.com (Berek Halfhand) writes: >Does anyone know of a boot-sector virus called Leonart2 or Lennart2 or >something like that? Well, this is not the official CARO name of any boot sector virus, so there is not much I can do to help. However, in my collection I have one sample named LENART.BOO - which is an image of the AntiCMOS.A virus,,,perhaps...just perhaps....theLennaert2 is then the AntiCMOS.B virus. It might help if we know which scanner calls it by this name... - -frisk Fridrik Skulason Frisk Software International phone: +354-1-617273 Author of F-PROT E-mail: frisk@complex.is fax: +354-1-617274 ------------------------------ Date: Sun, 03 Jul 94 20:11:41 -0400 From: fguidry@crl.com (Fran Guidry) Subject: Re: Joshi (PC) Allan D Gray wrote: >For months I have been using a boot disk for my computer, because I am >infected with a boot-sector virus. The anti-virus programs that I was >using could identify the problem, but not fix it. I finally decided to >get off my duff and tackle this problem. I found this group, got the FAQ, >read it, downloaded new ani-virus software, etc. etc. > >F-prot says that this can cure this virus. When I run it is says that it has >cured it. If I run it again, it finds "Joshi" and claims to cure it again.... >The computer won't boot without a boot disk.... > >Does anyone know how to deal with this problem without reformatting my >eintire HD??? If so, please let me know. You may be reinfecting your computer with a floppy - this is the way boot sector viruses spread. If so, you will be very disappointed if you reformat the hard disk and then find that the virus comes back. Have you used your copy of F-PROT to check and disinfect every single floppy you own? Try that. Fran ------------------------------ Date: Mon, 04 Jul 94 04:56:04 -0400 From: Henrik Stroem Subject: Re: false alarm (boot sector changed) by McAfee SCAN ??? (PC) Vesselin writes: > I do have your HS v3.58 and it is on our ftp site. The only problem is > that it refuses to run on my machine - something I have reported to > you several times in the past. As far as I recall, the problem occured > because the installation program was trying to trace in interrupt down > to the BIOS - but my machine is running QEMM in stealth mode. I wrote a test program to verify my solution to this problem, and it worked. But I have been very busy (with non-viral things), so I have not had the time to implement this Stealth compatibility into HS yet. It will however be done in v3.59, but I don't know when I'll have time to do this. Other things I've been looking at are; OS/2 version of HS, Chicago version of HS, Generic MBR/DBR disinfector for those not smart enough to install HS *before* they are infected, CMOS integrity checking, etc. But as things looks now, I don't expect to get much av-programming done the next few weeks ;-( > You said that a future version of the program will fix the problem - > any news since then? I've released a Norwegian commercial version, US commercial version, and soon a French commercial version will be available. But v3.59 is not yet completed. Maybe at the end of July. Sincerely, Henrik Stroem Stroem System Soft ------------------------------ Date: Mon, 04 Jul 94 09:28:03 -0400 From: Kamil Bukala Subject: Unknown Virus Attack (PC) Short: Infection by Virus, IBM PC 486-33 (f-prot 2.12c can't detect it), Message: "Disks travel in packs.", Damage: Fats damaged (with directories and files lost). Can anybody help with detection?? EMAIL: kbukala@cayley.uwaterloo.ca For long description email same address. ------------------------------ Date: Mon, 04 Jul 94 11:15:26 -0400 From: stevet@fujitsu.com (Steve Tamanaha) Subject: How to save a boot sector (PC) How can you save a boot sector on to disk. (if you suspect a virus and want to upload it to the anti-virus companies system for them to inspect it?) Thanx, jims@fsba.com ------------------------------ Date: Mon, 04 Jul 94 11:25:11 -0400 From: stevet@fujitsu.com (Steve Tamanaha) Subject: Re: New virus found - Evolution 2001 (PC) "MICHAL EGLER" writes: >I have found a new virus. It is possible to find infected programs in >BREAJARJ.ARJ and ZIPCRACK.ARJ archive files in most of BBS in Poland. >But I am quite sure that this wirus was not written in Poland. I suggest >that this virus was written by the same person who wrote TREMOR virus. Do you have a mcafee/htscan/tbscan scan string that can detect this virus? Reply by e-mail to jims@fsba.com. ------------------------------ Date: Mon, 04 Jul 94 11:57:13 -0400 From: stevet@fujitsu.com (Steve Tamanaha) Subject: Re: vbait12.zip - Simple virus bait, detects COM infecting virus (PC) dasheiff+@pitt.edu (Richard M Dasheiff M.d.) writes: >frisk@complex.is (Fridrik Skulason) writes: >]]SimTel/msdos/virus/ >]]vbait12.zip Simple virus bait, detects COM infecting virus >] >]"Detects COM infecting viruses"...hmm... Is it able to detect infection >]by stealth viruses ? If not, I would say a redesign was required. My best guess would be that this program operates by being a "bait" and reporting any modifications made to itself by a virus or whatever using a checksum method. - -jims@fsba.com ------------------------------ Date: Mon, 04 Jul 94 11:59:20 -0400 From: stevet@fujitsu.com (Steve Tamanaha) Subject: Re: MtE Virus info wanted (PC) A patch is availible to fix the MTE false detect caused by NAV 2.1. (ptch1a.zip) availible on the symantec bbs or compuserve. ------------------------------ Date: Mon, 04 Jul 94 12:01:21 -0400 From: stevet@fujitsu.com (Steve Tamanaha) Subject: Re: New AV software (PC) tluten@delphi.com writes: >of SCAN, and worried a lot. Not so much now. I read that Windows files >are basically uninfectable. Does the rise of Windows spell the end of virus >concerns? Do concerns over viruses spell the end of DOS? So, if we posit Windows files are "uninfectable" because normally when they get infected, it causes windows to crash and you notice the virus. ------------------------------ Date: Mon, 04 Jul 94 13:26:46 -0400 From: fguidry@crl.com (Fran Guidry) Subject: Re: Need info on "WONDER" virus (PC) wrote: >Hi >Does anybody know anything about the "WONDER" virus. >The virus detection on my PC says that the exe created >by the C compiler is infected, but whenI try to detect >the virus on the hard disk ther software doesn't find it. Please identify the virus detection software you are using. Several very widely distributed products, such as the anti-virus software included with MS-DOS, are so inaccurate as to be worse than useless. Fran ------------------------------ Date: Mon, 04 Jul 94 14:03:45 -0400 From: fguidry@crl.com (Fran Guidry) Subject: Re: unknown virus (PC) Ben Eichelberger wrote: >We have experienced an unknown virus on our University Campus. The lastest >version of McAfee Virus Detection software 114 did not find anything. >However, these are the symptoms: > >Many lost clusters taking up hard disk space. On one machine it ate up over >140MB of disk space leaving less than a MB of room to work in. Other >machines had 30MB, 50MB and 70MB of lost clusters in one file. Some diskettes >have also had lost clusters eating up remaining room on the diskette. Two of >the diskettes where unrecoverable and data was lost. One program often responsible for this kind of problem is Clipper. Try to determine if someone is using Clipper-ized programs and rebooting or turning off the computer while temporary files are open or some such. Fran ------------------------------ Date: Mon, 04 Jul 94 14:51:22 -0400 From: iandoug@cybernet.za (Ian Douglas) Subject: Re: Matura (PC) Sugan Moodley (moodley@beastie.cs.und.ac.za) wrote: > Help! I got the Matura92 virus.... > Actually the entire durban campus of Natal got it ( south africa ) > Is there a doctor in the house? > Whats the prognosis....? I had a look at Matura92 last year when it was down in Cape Town.. surprised it is still around. It infects .com, .exe files by appending, and command.com by sticking itself in amongst the hex nils towards the end. As far as damage goes, only routines I could make out were to mess with the cloppy disk drives. Scan should still detect it, as will F-Prot and ThunderByte. Not sure about cleaning.. best is to replace infected files. Check command.com carefully... Cheers, Ian - -- - ----------------------------------------------------------------------------- Ian Douglas InterNet: iandoug@cybernet.za P.O. Box 484 Lead, Follow, FidoNet: 5:7102/119 7532 Sanlamhof or get out of TopNet: 225:2048/1 South Africa the way. - ----------------------------------------------------------------------------- ------------------------------ Date: Mon, 04 Jul 94 18:18:46 -0400 From: cguevara@ns.usma.pa (Ing. Carlos R. Guevara L. Tel. 36-1311 ext 221) Subject: Modified Stoned???? (PC) My name is Carlos Guevara and I am in charge of the computer labs at a small University in Panama, Central America. We have recently suffered a flooding of [Stoned] Virus messages on our computers. We are running many kinds of Anti-virus programs but mainly Mcafee's version 116. Scan shows the [Stoned] virus present in high memory when booting from many hard disks, yet when you but with a clean disk and run scan nothing is found neither in the boot sector nor on a file. The only other sign that we have a virus (a very obvious sign) is that every so often a message window appears on the screen interrupting whatever activity was going on.....The message says. Roger Espejo Mensaje 1.12 Lima - Peru. I've tried searching the disk sector by sector for the strings on the message (Using DiskEditor) but can't find a thing. No anti-virus program has been able to find the trace of the virus in the disk. Is there anyone out there that can help me???? I've tried reformatting the disk and nothing. I have narrowed it down to being in the boot sector but can't find it in there. I will try tomorrow to infect a few floppies to see what changes occur to the boot sector. Then try erasing it from the sector. Please if anyone can help me mail me at cguevara@ns.usma.pa or fax me at 507-26-5278 Thank you.... BYE. ------------------------------ Date: Tue, 05 Jul 94 07:46:06 -0400 From: csx134@cck.coventry.ac.uk (Philip Sherlock) Subject: Re: Best Anti-virus software (PC) wrote: >Were trying to figure out the best Anit-virus software for both >Netware server's (NLM's) and DOS/Windows workstation. > >etc. Yes, use F-Prot. I have been using it now for two years and it has kept the network and all 50 workstations clear, as well as about another 60 stand alone machines in an educational environment. Updates are regular. What more can I say? Phil. ------------------------------ Date: 05 Jul 94 10:22:45 -0500 From: baskerj2914@cobra.uni.edu Subject: Excelent virus program! (PC) I have found a VERY GOOD [EXTREMELY] virus protector from Parson's Technology. If anyone is interested mail me at Basker89@iscssun.uni.edu. It's called ViruCide Plus and it is SUPER! Any comments would be appreciated! Or if you'd like more info...e-mail me! IT SAVED MY SYSTEM! Jon Baskerville ------------------------------ Date: 05 Jul 94 16:22:13 -0500 From: sullivan@cobra.uni.edu Subject: Re: dir/reg (PC) (whatever that meant) > buster@klaine.pp.fi (Kari Laine) writes: > >>We received a demo diskette from Network Computing Inc. for a program called > >>LAN Page. It was version 1.0.5. When it arrived, it was taken out of the > >>package, write protected, and inserted in a workstation protected by VIRSTOP > >>2.12. The intercept immediately reported a FORM infection in the boot sector. > >>F-Prot 2.12 was able to remove the virus and everything seems to be fine. > > > >>We called the company's tech support line and reported it. They said that it > >>isn't the current shipping version, but they will check out the duplicator > >>stations to be safe. > > > > Hi Diane, > > > > could you confirm that was there really a Form on the diskettes > > send out by this company? Have they confirmed or who else > > did? > > > > Regards > > Kari Laine Sorry, we needed to get the evaluation done before our fiscal year ran out, so I removed the virus with F-Prot 2.12, rescanned it several times, and made a copy. The only confirmation is that 2 different versions of F-prot identified it and VIRSTOP 2.12 intercepted it. Diane ============================ sullivan@uni.edu Diane Sullivan ISCS NTS University of Northern Iowa Cedar Falls, Iowa 50614-0121 (319) 273-6814 ------------------------------ Date: Wed, 06 Jul 94 10:38:10 -0400 From: bondt@dutiws.twi.tudelft.nl (Piet de Bondt) Subject: Re: NAV 2.0 gives false "Maltese Amoeba" alarm (PC) Oleg Nickolaevitch Kazatski wrote: > > NAV 2.0 indicates that my machine running MS DOS 5.0 has the >"Maltese Amoeba" virus in two files but I can not find any viruses in >this files. I suspect this is a false alarm. > >[Moderator's note: I believe that this is indeed a false alarm, and >was documented as such some time back.] > Speaking of this, is there anybody out there willing to make such a list of 'false alarms' etc. and add this to the FAQ (and meanwhile updating the FAQ). FWIW, I think we start making a joke of ourselves in this field, when we have a FAQ dated November '92 !!! Any volunteers ? Any reasons why the FAQ should *not* be updated ? Piet de Bondt. bondt@dutiws.twi.tudelft.nl or piet@kgs.twi.tudelft.nl ============================================================================== FTP-Admin for MSDOS Anti-virus software at anon-ftp-site: ftp.twi.tudelft.nl ------------------------------ Date: Wed, 06 Jul 94 10:41:08 -0400 From: "Y. Radai" Subject: Re: MtE Virus info wanted (PC) Jeff Lewis had asked: >>I would appreciate information on "MtE" which I "found" on my >>machine with Norton Antivirus 2.1. .... Eli Shapira replies: > Very likely that it is a false alarm. Norton v2.1 had a few of them..... I could understand such a comment if it came from anyone *other* than Eli Shapira!! For those readers who may be wondering why I say this, the author of the above reply is the same Eli Shapira who is the main author of the Central Point and MS-DOS 6 Anti-Virus software (CPAV/MSAV/VSafe), and no AV software in history has been responsible for more false alarms than his software!! The main problem is that the scan patterns in CPAV/MSAV/VSafe *are left in memory in unencrypted form*, and these trigger other anti- viral programs which scan memory, i.e. if such programs are activated after CPAV/MSAV/VSafe, such patterns cause the other programs to give "ghost positives", i.e. to report that a virus has been found in memory. (A few years ago Shapira and Co. apparently made some effort to solve this problem. However, unless there has been some tremendous improvement since the last time I checked, scan patterns which contain *wildcards* still remain unencrypted.) No other widely used scanner fails to take some measure to prevent such false alarms. The lack of consideration toward other anti-virus products has created so many problems that F-PROT displays the following message if it finds VSafe to be active in memory: "Warning! The MSAV/CPAV program is currently resident ...." An interesting type of false alarm not connected with the above is that when MSAV with Version 1.1 of the DOS Anti-Virus Update is activated on the Sydex product CopyQM, MSAV erroneously reports that CopyQM contains the "Virus Cruncher" virus. Why? Simply because both CopyQM and the Cruncher virus use the compression software DIET. (Sydex reports that Central Point Software ignored its complaints until the matter was turned over to Sydex's attorney.) Sounds to me like a case of the pot calling the kettle black .... Y. Radai Hebrew Univ. of Jerusalem, Israel RADAI@HUJIVMS.BITNET RADAI@VMS.HUJI.AC.IL ------------------------------ Date: 06 Jul 94 10:13:01 -0500 From: sullivan@cobra.uni.edu Subject: Re: antivirus products (PC) > > He does, but I am not sure that such decisions depend on him. You see, > > the bad thing with the big anti-virus companies is that often even the > > few competent anti-virus researchers in them are overhelmed by the ^^^^^^^^^^ > > internal bureaucracy. :-( Was this a Freudian slip? Did you actually mean over-helmed or overwhelmed? Makes sense to me either way, and I think I prefer the first. Sorry, I just couldn't resist. Diane ============================ sullivan@uni.edu Diane Sullivan ISCS NTS University of Northern Iowa Cedar Falls, Iowa 50614-0121 (319) 273-6814 ------------------------------ Date: Wed, 06 Jul 94 11:23:47 -0400 From: as194@cleveland.Freenet.Edu (Doren Rosenthal) Subject: Rosenthal Virus Simulator (PC) Doren Rosenthal, Member ASP & ASAD Rosenthal Engineering P.O. Box 1650 San Luis Obispo, CA USA 93406 e-mail as194@cleveland.freenet.edu voice phone 1-805-541-0910 To: "Fredrick B. Cohen" Subject: Philosophy - good vs bad viruses July 6, 1994 Dr. Cohen, Your posting on virus-l reminded me that I've been wanting to contact you for some time now. First I'm surprised the moderator/sensor posted your message. My own experience at attempts to participate in open technical discussions on virus-l having been censored were quite dissapointing. That is why I've not only (attempted) posting this message on virus-l, but to you directly as well. [Moderator's note: Why are you surprised that I approved Dr. Cohen's posting? Although lengthy, his opinions were well formed and civil. There's no restriction against posting controversial opinions! I generally only reject unrelated (to the topic of viruses) submissions, virus code (source or binary), and uncivil postings.] It is certainly possible to write a virus which serves a useful function, but doesn't violate anyone's copyright or system integrity. I have written such a useful virus and have made it publicly available as shareware (see VIRSIM2C.ZIP) for over a year now with very positive response from its users. The virus I'm referring to is part of my complete Virus Simulator package and is described in the documentation file as the MtE supplement. This virus provides bait files used to safely demonstrate anti-virus measures, audit and confirm anti-virus methods are being employed and to assist training and user awareness. The Virus Simulator MtE supplement not only requires the users permission before infecting a file, but it will only infect programs that the copyright holder (me) has supplied and authorized. It discourages tampering, and verifies its own integrity and that of its host program before infecting it. Virus Simulator continues to be quite popular for the purpose it was designed and its users continually report that the MtE supplement performs a very useful function that they appreciate. The shareware version of Virus Simulator can be obtained from most ftp sites, compuserve, America On-line, SDN/Fidonet BBS's and ASP and ASAD member vendors and BBS's, JCMS, PSL and ASP CD- ROMs etc. as VIRSIM2C.ZIP. Comments and constructive criticism are always appreciated, but first please be sure to read the documentation file thoroughly. Doren Rosenthal ------------------------------ Date: Wed, 06 Jul 94 14:43:37 -0400 From: tracker@netcom.com (Craig) Subject: Re: Why so many Leprosy viruses? (PC) Vesselin Bontchev (bontchev@fbihh.informatik.uni-hamburg.de) wrote: : Take anything you read in Patricia Hoffman's VSUM with a large grain : of salt. It's more like a truck of salt, actually. VSUM is the biggest : peiece of disinformation, incorrect, incomplete, and plain wrong : things about computer viruses ever put together. The format and ease of use of VSUM is nice. I fail to see why Pat continues to publish disinformation, when it could be of great use to people if it had accurate info. Without people like yourself, and other very knowledeagle people on comp.virus, many wouldn't know about VSUM being so bad. ------------------------------ Date: Wed, 06 Jul 94 14:57:43 -0400 From: bmonette@porpoise.oise.on.ca (Bernie Monette) Subject: Mosquito Viruses (PC) Dennis Clouse (Dennis.Clouse@ucop.edu) writes: >We consider mosquitoes a threat...we eradicate them without >considering the guilt or innocence of *idividual* mosquitoes... >ditto the alleged 'beneficial or 'nondestructive' computer >virus. You argue precociously. However, it has been a common practise to use genetically altered insects, ergo beneficial, to eradicate or reduce the harm of the same species: locusts I think is one example. This method works and is environmentally safe. So why not try a similar tactics with computer viruses? *Viral* action performing necessary tasks on a computer. All we have to do is develop the programming skills to do so. Cheers, Bernie Monette ------------------------------ Date: Wed, 06 Jul 94 16:12:21 -0400 From: jjb18@columbia.edu (Jeremy J. Blumenfeld) Subject: Re: Killed the Monkey Virus (PC) Previous discussion deleted. >Frisk Software International - Technical note #7 > > Monkey virus removal > Some Discussion Deleted. > 1) Boot from a clean diskette Quick question: Does this need to be the exact same version of DOS which the Hard drive was formatted with? Thanks jeremy blumenfeld ------------------------------ Date: Wed, 06 Jul 94 12:35:35 +0400 From: eugene Subject: AVP distributors Hello all, I just received the message from Keith A. Peer (Antiviral Toolkit Pro distributor in USA). He received several messages that he is NOT the USA distributor for AVP, and he asked me announce my distributors here. AVP distributors and technical support sites -------------------------------------------- Italy: Future Time Anti-Virus Technology s.n.c. Mail address: Rome, Umberto Saba st. n. 54/C (Italy) Phone(s) : +39-6-8607663, +39-6-5020879 Fax : +39-6-86321371 E-mail: : MC3162@mclink.it Fido: : 2:335/347.4 Russia: KAMI Ltd., Moscow 109052 Nizhegorodskaya st. 29, Phone : +7-095-278-9949, +7-095-262-1294 Fax : +7-095-278-2418 E-mail : eugene@kamis.msk.su USA: Central Command Inc., P.O. Box 856 Brunswick, Ohio 44212 Contact: Keith A. Peer Phone: (216) 273-5743 E-Mail: central.command@pcohio.com We are welcome to contact with other companies and expert groups. Regards, Eugene P.S. Should I announce other companies that will be AVP distributors next time? - --- - -- Eugene Kaspersky, KAMI, Moscow, Russia - -- eugene@kamis.msk.su +7 (095)278-9412 ------------------------------ Date: Tue, 05 Jul 94 10:52:40 +0100 From: Luca Sambucci <93647758S@sgcl1.unisg.ch> Subject: SMEG Virus Test (PC) - -----BEGIN PGP SIGNED MESSAGE----- > VIRUS TEST Nr. 002 > -= SMEG Viruses =- > Copyright (C) 1994 Luca Sambucci > All rights reserved. > Italian Computer Antivirus Research Organization The "Simulated Metamorphic Encryption Engine" is a new engine used to create polymorphic viruses, some of these viruses seem to be 'in the wild' in the United Kingdom. At the moment there are three versions of the engine (v0.1, v0.2 and v0.3). For this test I've used two viruses created with the 0.1 and 0.2 versions of the engine, the "Pathogen" and the "Queeg" viruses. The option used are the same used for the June 1994 edition of the General Antivirus Test, except for the "/CPL" option for the AVScan (this product now scans inside compressed files by default). For all other information (product/producer information, legal issues etc.) please refer to the June 1994 edition of the General Antivirus Test (always available at request or at our official distribution sites). The following products have been tested: Name Version Date (MM/DD/YY) Producer =-----------------------------------------------------------= AVScan 1.58 06/18/94 H+BEDV GmbH AV Toolkit Pro 2.00d 06/20/94 KAMI Ltd. F-Prot 2.12c 06/16/94 Frisk Soft. Int. Sweep 2.63Beta 06/06/94 Sophos Plc ThunderByte AV 6.20 05/06/94 ESaSS BV ViruScan 9.28V116 06/15/94 McAfee Inc. VirusScan 2.0.2 06/02/94 McAfee Inc. TEST RESULTS SMEG v0.1 (Pathogen) For the test I've infected 996 files (496 COM and 500 EXE) with "Pathogen" replications. Here the results (996 replications): | Antivirus |Rel. |Unrel. |Not | %Total | | product |Identif.|Identif.|Detected |Detected | =----------------+--------+--------+---------+=========+-= AVScan 1.58 | 996 | 0 | 0 < 100.00% > =----------------+--------+--------+---------+=========+-= AVP 2.00d | 983 | 8 | 5 < 99.50% > =----------------+--------+--------+---------+=========+-= F-Prot 2.12c | 996 | 0 | 0 < 100.00% > =----------------+--------+--------+---------+=========+-= Sweep 2.63Beta | 996 | 0 | 0 < 100.00% > =----------------+--------+--------+---------+=========+-= TbScan 6.20 | 368 | 6 | 622 < 38.72% > =----------------+--------+--------+---------+=========+-= ViruScan 116 | 0 | 0 | 996 < 0.00% > =----------------+--------+--------+---------+=========+-= VirusScan 2.0.2| 0 | 0 | 996 < 0.00% > =----------------+--------+--------+---------+=========+-= SMEG v0.2 (Queeg) For the test I've infected 995 files (496 COM and 499 EXE) with "Queeg" replications. Here the results (995 replications): | Antivirus |Rel. |Unrel. |Not | %Total | | product |Identif.|Identif.|Detected |Detected | =----------------+--------+--------+---------+=========+-= AVScan 1.58 | 991 | 0 | 4 < 99.60% > =----------------+--------+--------+---------+=========+-= AVP 2.00d | 985 | 4 | 6 < 99.40% > =----------------+--------+--------+---------+=========+-= F-Prot 2.12c | 991 | 0 | 4 < 99.60% > =----------------+--------+--------+---------+=========+-= Sweep 2.63Beta | 0 | 616 | 379 < 61.91% > =----------------+--------+--------+---------+=========+-= TbScan 6.20 | 120 | 1 | 874 < 12.16% > =----------------+--------+--------+---------+=========+-= ViruScan 116 | 0 | 0 | 995 < 0.00% > =----------------+--------+--------+---------+=========+-= VirusScan 2.0.2| 0 | 0 | 995 < 0.00% > =----------------+--------+--------+---------+=========+-= Note: All "Queeg" replications detected by the Sweep have been identificated as "Pathogen". GLOBAL RESULTS SMEG viruses (1991 replications): | Antivirus |%Detected | %Detected | %Total | | product | Pathogen | Queeg | SMEG | =----------------+----------+-----------+========+--= AVScan 1.58 | 100.00% | 99.60% < 99.80% > =----------------+----------+-----------+========+--= AVP 2.00d | 99.50% | 99.40% < 99.45% > =----------------+----------+-----------+========+--= F-Prot 2.12c | 100.00% | 99.60% < 99.80% > =----------------+----------+-----------+========+--= Sweep 2.63Beta | 100.00% | 61.91% < 81.00% > =----------------+----------+-----------+========+--= TbScan 6.20 | 38.72% | 12.16% < 25.44% > =----------------+----------+-----------+========+--= ViruScan 116 | 0.00% | 0.00% < 0.00% > =----------------+----------+-----------+========+--= VirusScan 2.0.2| 0.00% | 0.00% < 0.00% > =----------------+----------+-----------+========+--= LEGEND: Reliably identified: Detected with the correct name Unreliably identified: Detected with the wrong name or with the heuristic analyser Not detected: Not detected at all %Total Detected: The global detection rate (test set=100%) This document is available from our official distribution sites (both in English and Italian language) within the archive called VTEST002.ZIP Sysop or ftp-administrators that wish to become official distributors of I.C.A.R.O.'s documents can contact us at one of the following adresses: Internet: luca.sambucci@ntgate.unisg.ch FidoNet: Luca Sambucci 2:335/348.6 Best Regards, Luca Sambucci =**********************************************************************= ___________ Luca Sambucci ____________ | | | | | __ | | | | | Postfach 2006 | | | | | | | | 9001 - St. Gallen | | | | | | | | Switzerland | ___| |___ | | | | | || || | | | | ||___ ___|| | | | | Internet: luca.sambucci@ntgate.unisg.ch | | | | | | | | Fido Net: Luca Sambucci 2:335/348.6 | | | | | | | | Caesar Net: Luca Sambucci 175:411/1.1 | |__| | |___|___|___| |____________| * PGP public key available on the public key servers * =----------------------------------------------------------------------= I bet they've redesigned the whole sickbay too. I know engineers - they love to change things! McCoy, "The Motion Picture" =----------------------------------------------------------------------= =**********************************************************************= - -----BEGIN PGP SIGNATURE----- Version: 2.3a iQCVAgUBLhiFFeZQNzkHaA4JAQEv0gP/fFX9kkz43DmxnCRHswonKi/9X0PqdLyQ 8KjxyjJSP6tC0JV+Ta94A0BoXzTF70IMZZLbqWpv0ODdCSI+DQTfRhpTaURnYPL8 nTXzOv8UNJ1i5W0fVgtJ1jrx9SNhgjzQ0GKR14e70mOVAF+EkCMJne4uBviOX3Fe GrXM4u3sI10= =6mh2 - -----END PGP SIGNATURE----- ------------------------------ Date: Tue, 05 Jul 94 12:42:01 +0100 From: Luca Sambucci <93647758S@sgcl1.unisg.ch> Subject: ICARO sites - -----BEGIN PGP SIGNED MESSAGE----- I am pleased to inform you that now ICARO has three new official distribution sites in three different countries: Germany, Slovakia and Switzerland. Here's an updated list of the ICARO's official distribution sites: FTP: GERMANY: - ftp.informatik.uni-hamburg.de:pub/virus/texts/tests/icaro BBS: (in all those BBS the ICARO files are stored in the "ICARO" directory and are freely available to all users) ITALY: - Ghost BBS (Rome) ++39 - 6 - 550 34 97 (300 - 9600 baud) FidoNet: 2:335/420 - S.P.Q.R. Servizi Telematici BBS (Rome) ++39 - 6 - 871 82 083 (4800 - 19200 baud ZYX) ++39 - 6 - 871 80 915 (300 - 2400 baud) FidoNet: 2:335/348 SLOVAKIA: - Slovak Antivirus Center BBS (Bratislava) ++42 - 7 - 2048 232 (300 - 19200 baud ZYX) FidoNet: 2:422/80 SWITZERLAND: - Roesslibox BBS (St. Gallen) ++41 - 71 - 24 22 24 (2 lines, 1200 - 19200 ZYX baud) FidoNet: 2:301/406 Every Sysop or ftp-administrator who wishes to become an official I.C.A.R.O. distribution site can contact me via electronic mail. Best Regards, Luca Sambucci - -----BEGIN PGP SIGNATURE----- Version: 2.3a iQCVAgUBLhmMDOZQNzkHaA4JAQEzWwP+KU8lirrnm2bcD+bLbA0pEoe2mHpnCIBL rdDoZMmdkd8JpvftVIjmpd3EyxORASBHfyat37No/6RC/YPE0LSLBaczruo7AsUD oSyfq+htby/eM2qTZXL3jdj4fprZw6RuS/tzyER1ItKN1FRhiCinEwDuNAYhTPzh ZRkR0C7kk3E= =VSgY - -----END PGP SIGNATURE----- ------------------------------ Date: Tue, 05 Jul 94 18:27:21 -0400 From: Joe Wells <0004886415@mcimail.com> Subject: WildList for July ============================================================================ PC Viruses in the Wild - July 1, 1994 ============================================================================ This is a cooperative listing of viruses reported as being in the wild by 16 virus information professionals. The basis for these reports are virus incidents where a sample was received, and positively identified by the participant. Rumors and unverified reports have been excluded. The list should not be considered a list of "currently common" viruses however. No provision is made for commonness. A currency basis for the list has been set. Viruses not reported for over a year are removed. This data indicates only "which" viruses have been found in the wild. ============================================================================ The section below gives the names of participants, along with their organization, antivirus product (if any), and geographic location. Key Participant Organization Product Location ============================================================================ As Alan Solomon S&S Int'l Toolkit UK Dc Dave Chess IBM IBM AntiVirus USA Ek Eugene Kaspersky KAMI AVP Russia Fb Fernando Bonsembiante Virus Report None Argentina Fs Fridrik Skulason Frisk Int'l F-Prot Iceland Gj Glenn Jordan Datawatch VirexPC USA Jw Joe Wells Symantec NAV USA Pd Paul Ducklin CSIR Virus Lab None So Africa Pp Padgett Peterson Hobbyist DiskSecure USA Rf Richard Ford Virus Bulletin None UK Rh Richard Head Jade Corp Scan Vakzin Japan Rr Roger Riordan CYBEC VET Australia Sg Shimon Gruper EliaShim ViruSafe Israel Vb Vesselin Bontchev U of Hamburg None Germany Ws Wolfgang Stiller Stiller Research Integ Master USA Yr Yuval Rakavi BRM Untouchable Israel ============================================================================ The first chart is based on two or more participants reporting a virus. Therefore, these viruses are probably more geographically scattered. CARO Name of Virus AsDcEkFbFsGjJwPdPpRfRhRrSgVbWsYr Alias(es) ============================================================================ 3-Tunes..................| . . . . . x x . . . . . . . . . | 1784 AntiCMOS.................| . x . . . . x . . . . . . . . x | AntiEXE..................| . x . . x . x x . . . . . x . x | D3,Newbug Athens...................| . . . . x . x . . . . . . . . . | Trajector Barrotes.A...............| x . . . . . x . . . . . . . . . | Barrotos Boot-437.................| . . . . . . x . . . . . . . . x | Brasil...................| . . . . . . x . x . . . . . . . | Butterfly................| . . . . . . x . . . . . . x . x | Cascade.1701.A...........| x x . x x . . . . x x . x x . . | 1701 Cascade.1704.A...........| x x x . x . x . . . . . x x . . | 1704 Changsha.................| . . . . . . x . . . x x . . . . | Centry Chinese Fish.............| x . . . x x x . . . . x . x . x | Fish Boot CPW.1527.................| . . . . . . x . x . . . . . . . | Mediera,Mierda Dark_Avenger.1800.A......| x x . x x x x . . x x x . . x . | Eddie Datalock.920.............| x x . . . . x . . . . . x . . x | V920 Dir-II.A.................| x x x x x . x x . x x x x x x x | Creeping Death Disk_Killer.A............| x . x . . . . . x x . . x . . . | Ogre EXE_Bug.A................| x . . . . . x x . x . . x . x . | CMOS Killer EXE_Bug.C................| . . . . . . . x . . . . x . x . | Fichv.2_1................| x . . . x . . . . . . . x x . . | 905,CHV 2.1 Filler...................| . . . . . x x . . . . . . . . . | Flip.2153.A..............| x x . x x . x . . x x . x . . x | Omicron Flip.2343................| x . . . x . . . . . . . . . . . | Omicron 2 Form.A...................| x x . x x x x . x x x . x x x x | Form 18 Form.D...................| . . . . . . x . . . . . . . . x | Form May Freddy_2.................| . . . . x . x . . . . . . . . x | Frodo.Frodo.A............| x . . x x . x . . . x x x x . x | 4096,100 Year Ginger...................| . . . . . . x . . . . x . . . . | Gingerbread Green Caterpillar........| x x . . x x x . . x x x x x x . | Find,1591,1575 Helloween.1376...........| x . . . . . x . . x x x . . x x | 1376 Hidenowt.................| . . . . . . x . . x . . . . . . | Jerusalem.1808.Standard..| x x . x x x x x x x x . x . x x | 1808,Israeli Jerusalem.Anticad.4096.B.| x . . . x . . . . . . . x . . . | Invader Jerusalem.Fu_Manchu......| x . . . . . . . . . . . x . . . | 2080,2086 Jerusalem.Mummy.2_1......| x . . . x . . x . . x . x . . . | PC Mummy Jerusalem.Sunday.A.......| . . . . . . . x . . x . . . . . | Sunday Jerusalem.Zerotime.Austr.| x x . . . . . . . . . x x . x . | Slow Joshi.A..................| x x . . x x x . x x x x x x x x | Junkie...................| . . . . . . . . . . . x . x . . | Kampana.3700:Boot........| x x . x x x x . . x x . . . x . | AntiTel,Telecom Keypress.1232.A..........| x x . . . . . . . x x x x . x x | Turku,Twins Liberty..................| . x . . x . x . . x x . . . x x | Mystic,Magic Little_Red...............| . . . . . x x . . . . . . . . . | Maltese Amoeba...........| x x . . x . . . x x . . x . x x | Grain of Sand Music_Bug................| . . . . x x . . x . . . . . x . | NJH-LBC..................| x . . . . . . . . . . . . . . x | Korea Boot No_Frills.Dudley.........| x . . . . . . . . . . x . . . . | Oi Dudley No_Frills.No_Frills......| . . . . . . x . . . . x . . . . | Nomenklatura.............| x x . . . . . . . . . . . . . . | Nomen November_17th.855.A......| x x . . x . x . . . . . . . . . | V855 NPox.963.A...............| . . . . x . x . . . . . . . . . | Evil Genius Ontario.1024.............| . x . . . . . . . . . x x . . . | SBC,1024 Parity_Boot.B............| x x . . . . x x . x x . . x . . | Generic 1 Ping_Pong.B..............| x x . x . . . . . x . . x . x . | Italian Predator.2448............| . . . . x . x . . . . . . . . . | 2448 Print_Screen.............| x x . . . . x . . . . . . . . x | India,PrnSn QRry.....................| . x . . . . x . . . . . . . . . | Query,Quarry Quox.....................| . x . . x . x . . . . . . . . . | Stealth 2 Ripper...................| x x . . x . x . . . . . . . . . | Jack Ripper Sat_Bug..................| . . . . . . x . . . . . . . . x | Satan Bug Sayha....................| . . . . . . x . . . . . . . . x | Screaming_Fist.696.......| x x . . . x x . . . . . . . x . | Fist 2,Scream 2 Sleepwalker..............| . . . . . . x . . . . x . . . . | SMEG.Pathogen............| x . . . . . . . . x . . . . . . | Stealth.B................| . x . . . . x . x x . . . . . . | STB Stoned.16................| x x . . . . x . . . . . . . . x | Brunswick Stoned.Azusa.............| x x . . x . x x x . x x x . x x | Hong Kong Stoned.Empire.Monkey.B...| x x . . x x x x x x . x . x x . | Monkey 2 Stoned.Empire.Monkey.A...| . x . . . . x . . . . x . . . . | Monkey Stoned.Flame.............| . . . . . . x . . . . x . x . x | Stoned(3C) Stoned.June_4th..........| x . . . . x x . . . x x . x x x | Bloody!,Beijing Stoned.Lzr...............| . x . . x . x . . . . . . . . x | Stoned.Whit Stoned.Manitoba..........| . x . . x . x . . . . . . . . . | Stonehenge Stoned.Michelangelo......| x x x x x x x x x x x x x x x x | Stoned.NoINT.............| x x . . x x x x . x . x . . x x | Stoned Stoned.Standard.B........| x . x x x x x x x x x x x x x . | New Zealand Stoned.Swedish_Disaster..| x . . . . x . . . . . . . . . . | Stoned.W-Boot............| . . . . . . x . . . . x . . . x | W-Boot Stardot.789..............| . x . . . . x . . . . . . . . . | 805 SVC.3103.................| x . x . . . x . . . x . x . . . | SVC 5.0 Tequila..................| x x . . x . x . . x x . x x x x | Tremor...................| . . . . x . . . . x . . . x x . | V-Sign...................| x x . . x x x . . x x x x x x x | Cansu,Sigalit Vacsina.TP-05............| x x . . x x x . . x x . . . x . | RCE-1206 Vacsina.TP-16............| x x . . x . . . . . . . . . . . | RCE-1339 Vienna.648.Reboot........| x x x . . . . . . . . . . . . . | DOS-62 WXYC.....................| . x . . . . x . . . . . . . . . | Yankee Doodle.TP-39......| x . . . x . . . . . . . . . . . | RCE-2772 Yankee Doodle.TP-44.A....| x . x . x . x . . x x . . x . . | RCE-2885 Yankee Doodle.XPEH.4928..| . . . . x . . . . . . . . . . x | Micropox ============================================================================ Total for first list: 90 ============================================================================ The second chart is based on a single participant noting more than one infection site and may signify limited regional virus outbreaks. CARO Name of Virus AsDcEkFbFsGjJwPdPpRfRhRrSgVbWsYr Alias(es) ============================================================================ B1.......................| . . . . . . . . . . . . . . . x | Badsectors...............| . . . . . . . . . . . . . . . x | BootEXE..................| . . . . . . . . . x . . . . . . | BFD-451 Brain....................| . . . . . . . . x . . . . . . . | Pakistani Cascade.1701.G...........| . . . . . . . . . . . . . x . . | 1701 Chill_Touch..............| . . . . . . x . . . . . . . . . | Coffeeshop:MtE_090.......| . . . . . . . x . . . . . . . . | Darth_Vader.3.A..........| . . . . . . . . . . . . . . x . | Dark_Avenger.2100.SI.A...| x . . . . . . . . . . . . . . . | V2100 Datalock.828.............| . . . . . . . . . . . . . . . x | Den_Zuko.A...............| x . . . . . . . . . . . . . . . | Den Zuk DosHunter................| . x . . . . . . . . . . . . . . | Emmie.3097...............| . . . . . . . . . . . . . . . x | Even_Beeper..............| x . . . . . . . . . . . . . . . | EXE_Bug.B................| . . . . . . . x . . . . . . . . | EXE_Bug.Hooker...........| . . . . . . . x . . . . . . . . | EXE_Engine...............| . . . . . . . . . . . . . x . . | French Boot..............| . . . . . . x . . . . . . . . . | Gippo.Epidemic...........| . . . . . . x . . . . . . . . . | Gippo.JumpingJack........| . . . . . . . . . . . . . . . x | Hafenstrasse.............| . . . . . . . . . . . . . x . . | Hafen Hi.......................| . . . . . . . . . . . . . . . x | Hi.460 Involuntary.A............| . . . . . . x . . . . . . . . . | Invol Involuntary.B............| . . . . . . x . . . . . . . . . | Invol.B Japanese_Xmas............| . . . . . . . . . . x . . . . . | Xmas in Japan Jerusalem.1244...........| x . . . . . . . . . . . . . . . | 1244 Jerusalem.1808.Null......| . x . . . . . . . . . . . . . . | Jerusalem.Anticad.4096.A.| . . . . . . . . . . . . . x . . | Plastique Jerusalem.Carfield.......| x . . . . . . . . . . . . . . . | Jerusalem.Sunday.II......| . x . . . . . . . . . . . . . . | Sunday 2 Joshi.B..................| . . . . . . x . . . . . . . . . | Jumper...................| . . . . . . . . . . . . . . . x | Kampana.Galicia:Boot.....| . . . . . . x . . . . . . . . . | Telecom Keypress.1744............| . . . . . . . . . . . . . . . x | Little Brother.307.......| . . . . x . . . . . . . . . . . | Lyceum.1788..............| . . x . . . . . . . . . . . . . | MISiS....................| . . . . . . . . . . . . . . . x | Zharinov,NIKA Natas....................| . . . . . . x . . . . . . . . . | Necropolis...............| . . . . . . . . . . . . . . . x | 1963 Necros...................| x . . . . . . . . . . . . . . . | Gnose,Irish3 November_17th.800........| . . . . . . x . . . . . . . . . | Jan1, 800 Number_of_the_Beast......| . . . x . . . . . . . . . . . . | 512,666 NYB......................| . . . . . . x . . . . . . . . . | New York Parity_Boot.A............| . . . . . . . . . . . . . . x . | Peter....................| . x . . . . . . . . . . . . . . | Peter II Pro......................| . . . . . . x . . . . . . . . . | KMIT Quit.A...................| x . . . . . . . . . . . . . . . | 555,Dutch Pathogen:SMEG............| x . . . . . . . . . . . . . . . | Stinkfoot................| . . . . . . . x . . . . . . . . | Stoned.Bunny.A...........| . . . . . . . x . . . . . . x . | Stoned.Dinamo............| . . . . . . . . . . . . . . . x | Stoned.Michelangelo.K....| . . . . . . . . . . . . . . . x | Stoned.NOP...............| . . . . . . . . . . . . . . x . | NOP Storm.1218...............| . . . . . . . . . . . . . . . x | SVC.2936.................| . . . . . . x . . . . . . . . . | SVC.3241.................| . x . . . . . . . . . . . . . . | Stoned.Empire.Int_10.....| . . . . . . . . x . . . . . . . | Swiss_Boot...............| . . . . x . . . . . . . . . . . | Swiss Army Swiss_Phoenix............| . . . . . . . . . . . . . . . x | Syslock.Syslock.A........| x . . . . . . . . . . . . . . . | Vmem.....................| . . . . . . . . . . . . . . . x | Voronezh.1600............| . . x . . . . . . . . . . . . . | RCE-1600 ============================================================================ Total for both lists: 152 ============================================================================ Virus Alerts: Below are reports from participants and others on which viruses are reported and verified in specific areas. USA - Most frequently reported viruses for May 1992, per Symantec, in order of frequency are: Monkey.B, Stoned.Michelangelo, Form, Stoned.Standard, V-Sign, Stoned.NoInt, Joshi, Stealth.B. Chill_Touch was posted on Ziffnet and downloaded by a few dozen people. Ziff posted a notice about this and is making an effort to reach those who downloaded infected games. NYB virus was shipped to 3000 locations in the US and Canada. Form is rumored to have been shipped in preformatted disks (again). Stealth.B was rumored to have been shipped on some small-capacity harddrives. AntiCMOS has appeared in several locations. Natas has been confirmed at one location in Los Angeles. Mexico - Natas has been confirmed at several sites in Mexico City. It has also snuck past the US border patrol and appeared in east Los Angeles. Chile - The most commonly reported viruses, per Juan Vignolo, are: CPW.1527, Green_Caterpillar.1575.A, Stoned.Michalengelo.A, Stoned.NoINT, CPW.1459, Cascade.1701.A, Vacsina.TP.5.A, Ping-Pong.Standard.A, Jerusalem.1808.Standard, Brain.Standard Argentina - The most common viruses, per Fernando Bonsembiante, are: Stoned.Michalangelo, Stoned.Standard, Number_of_the_Beast, Jerusalem.1808.Standard, Ping-Pong.Standard, Cascade, Dark Avenger.1800, Kampana Boot, Dir-II, Flip, Frodo, Form. Japan - The most common viruses, per Richard Head, are: Yankee Doodle, Cascade, Kampana, Form, AntiCMOS, Michelangelo, Kampana.3445, Stoned.Azusa, StarDot.789, Stoned.Standard. South Africa - EXE_Bug.A is by far the most common, per Paul Ducklin, followed by Stoned.Standard and Stoned.Michelangelo. United Kingdom - The three most often reported viruses for April, per Richard Ford, were Form (by far number one), with Ripper and Stoned.Standard tied for second. A few cases of SMEG.Pathogen were reported. Germany - The DR&ET virus has been confirmed in northern Germany and is possibly in Denmark, per Vesselin Bontchev. Finland - Finnish Sprayer is spreading widely, per Mikko Hipponen. ============================================================================ The collation of this material is done by Joe Wells, Virus Specialist at Symantec, Peter Norton Group, who is solely responsible for its contents. The material presented is implicitly copyrighted under various laws, but may be freely quoted or cited. However, its source and cooperative nature should be duly referenced. Feel free to distribute this list. Other antivirus product developers are invited to participate in the list. If you wish to do so, please contact me. ============================================================================ The WILDList by Joe Wells -- jwells@symantec.com -- 70750,3457 -- Vol2.07a ============================================================================ ------------------------------ End of VIRUS-L Digest [Volume 7 Issue 55] *****************************************