VIRUS-L Digest Monday, 1 Aug 1994 Volume 7 : Issue 56 Today's Topics: re: "Good" vs. "BAD" Viruses Re: Bad and good viruses... a "Benificial Virus" Re: Integrity Checking virus in jpgs Re: Virus Simulators Re: Virus Simulation Re: OS/2 Viruses? Are there a (OS/2) Filler Virus problem (PC) Help ! virus Genb is killing us all (PC) Re: WSUPDATE question (PC) NLM Scanner Query (PC) re: Server Downing Viruses (PC) Re: Monkey Virus (PC) Re: Thunderbyte Antivirus (PC) Re: MtE Virus info wanted (PC) Re: ** Date recovery after Mi (PC) Re: NAV 2.0 gives false "Maltese Amoeba" alarm (PC) Re: Norman Virus Control (PC) Re: CRC values (PC) Re: Killed the Monkey Virus (PC) Re: Stealth Virus size-hiding technique? (PC) Rosenthal Virus Simulator VIRSIM2C.ZIP (PC) Rosenthal Virus Simulator (PC) Re: BIOS Virus Protection, and Checksumming (PC) Re: Help ! virus Genb is killing us all (PC) Re: How can I delete "Keypress" (PC) Re: Jack the Ripper (PC) Re: need help with kampana virus (PC) Re: Possible virus? (PC) Re: Re| VIRSTOP 2.12 Freezes PC (PC) Re: FORM and Spanish TELECOM (PC) "AntiCMOS" virus cleaner? (PC) tbav 6.21 released and available by FTP (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CERT.org or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CERT.org (192.88.209.5). Administrative mail (e.g., comments, suggestions, beer recipes) should be sent to me at: krvw@ASSIST.IMS.DISA.MIL. All submissions should be sent to: VIRUS-L@Lehigh.edu. Ken van Wyk ---------------------------------------------------------------------- Date: Wed, 06 Jul 94 19:31:39 -0400 From: OlPopeye@aol.com Subject: re: "Good" vs. "BAD" Viruses WARNING: THIS IS **NOT** A FLAME. APOLOGY FOLLOWS: Yes, I know I said I was quitting this thread a couple of months ago, so please forgive me butting back in. HOWEVER COMMA: 1. We don=92t seem to be going anywhere with the grand debate about =91=91Good=92=92 versus =91=91Bad=92=92 viruses. There is a lot of phil= osophical BS with zero semantic content going back and forth and resolution is not yet in sight. (As if there would EVER be a resolution!) Is there nothing better or more pressing in the anti-Virus world to discuss? 2. There is a gent with a doctorate flogging a book while smacking basic English in the chops with his =91=91Here! Here!=92=92 when the co= ntext demands =91=91Hear! Hear!=92=92 Should I buy this book? Is its syntax a= ny better? Yes, I know he=92s a mathematician, but... So, does this mean I=92m also =91=91context-driven=92=92? =91S funny that -- I thought ALL= languages were =91=91context-driven=92=92. 3. When I left this thread =91way back when, I=92d asked one of the fla= k shooters (via private EMail) to substantiate some of his diatribe. He probably thinks he did; I don=92t share his opinion. After all, as Aristotle wrote, =93One swallow does not make a summer.=94 (Nicomachea= n Ethics, bk. I, ch. 7.) I also asked for a copy of the much-bandied- about and magnificent ''KOH Virus=92=92 (or whatever it is) so I could take a look at what it does. There has been a resounding silence from that neighborhood. (Pardon my sneer... Call it a =93Virus=94 if you like, but remember old Will=92s remark of: =93What=92= s in a name? That which we call a rose by any other name would smell as sweet.=92=92 (Romeo and Juliet, Act: II, Scene: ii.) 4. One flak shooter=92s initials were letter-for-letter duplication of a Virus =93tag.=94 I asked if that was coincidental and he said, =93No.= =94 This leads to two possible conclusions: Either (1) He didn=92t understand the question (which I took pains to make very simple for him), OR (2) He=92s one of the virus-writing vandals (as I call them) that society could do without. Ergo, I have no further truck with this individual. 5. The question of whether a Virus is =91=91Good=92=92 or =91=91Bad=92=92= is moot. Doggone it, if I didn=92t BUY it (shrink-wrap or shareware) or WRITE it or get it freeware or make it, it=92s got no business in my computer. If it=92s there without my permission, then it=92s purely and= simply a case of criminal trespass, and I believe district attorneys should start prosecuting these Virus-writing idiots (where they can be identified) for exactly that charge. Your intellectual thrills and First Amendment Rights are limited to YOUR computer; YOUR =91=91rights=92= =92 STOP at the front door of my business. Or house. Or input port. 6. Whether a Virus formats my hard disk and destroys my carefully built software/data castle, or whether it merely =93displays a harmless message,=94 IF it is occupying valuable and expensive disk space; or IF it is occupying RAM it shouldn=92t be; THEN it is stopping my computers=92 application(s) in/of/to/for my business; ergo, it=92s stealing money out of my pocket. It necessarily follows that it IS harmful to whatever degree, regardless of the naivete=92 of the idiot who wrote the code or that of the fool who tries to excuse this socially unacceptable and yes, CRIMINAL, behavior. 7. There=92s entirely too much bandwidth being wasted on the pseudo- intellectual pursuit of determining whether the plural of =91=91Virus=92= =92 is =91=91Virii=92=92 or =91=91Viruses.=92=92 And if you think the conce= pt of =93Good=94 Viruses rates a guffaw, do as I did: I asked a number ( Walter E. Murdock olpopeye@svpal.org > olpopeye@aol.com 75270.37@Compuserve.Com > Retired U.S. Navy Korea '53, Lebanon '58 > =93Mustang=94 & Proud Of It. Dominican Republic '65, Vietnam '65-'6= 8 ------------------------------ Date: Thu, 07 Jul 94 03:53:18 -0400 From: bradleym@netcom.com (Bradley) Subject: Re: Bad and good viruses... Vesselin Bontchev (bontchev@fbihh.informatik.uni-hamburg.de) wrote: > Bradley (bradleym@netcom.com) writes: > [about the so-called KOH virus] So called? You yourself named it as Stealth_Boot.D, the standard CARO virus name. > > It's a virus that does what I said. It includes an uninstall option for > > the hard drive. > How about the floppies? Well... I'm sure you know how it work and what it can and can't do. But no, it doesn't remove itself from floppies. But, as it says in the docs, KOH infection can be turned off. So then the floppies would not be infected. > > If you want to know more, I have the full KOH document > > in my little personal FTP site: ftp.netcom.com:/pub/bradleym > First, the person who has written the preambule for KOH.README > certainly needs a spelling checker - two errors in a three-line > message is definitely too much. So now you're resorting to debasing my spelling? I didn't have any spelling errors in my "preambule". I did change the file names, and not modify the readme to reflect it, but that's not a typo. Also, it's about 8 lines, not 3. > Second, you are distributing viruses from your account. I am not > talking only about KOH; but about such things like 40Hex and NuKE's > InfoJournal - underground magazines that are known to contain virus > code. Are the Netcom authorities aware that they can be made liable > for civil damages in several countries if an infection of one of those > viruses occurs and the source is traced to them? The US Department of > Treasure got recently a rather negative representation by the press > because of the virus exchange BBS they were running. Would Netcom like > that I contact a few journalists and tip them that a major US internet > provider is running a virus distribution board? That was a big second point, I'll answer in parts. First, Netcom is not responsible for what I do. And Netcom isn't a provider in "several countries", it's a provider in America. The reason that there is a problem with the Treasury (actually The Department of the Treasury) having a VX BBS is that it is run by public funds. My account is run by _MY_ funds. You want to tell the press? I don't care, what can they do to me? I just have text files that I think can be informative to people. And they are also files that I find interesting. There are books that describe killing and other illegal activities, are you going to call the press on them too? > Third, is Netcom aware that another of his users (to whose directory > there is a link from yours) is freely making available to the world > strong cryptographic software and is potentially breaking the ITAR > export regulations? I couldn't care less about it, because I find the > US ITAR regulations silly anyway when applied to software that is > publicly available everywhere in the world, but may I remind you that > the penalty for breaking this silly law is still 41 to 51 months of > jail time? Does Netcom know that they could be liable for not taking > due care of what their users are doing? Now you're complaining about a non-virus subject. I don't know or care if Netcom is aware of what the users are doing. PGP is available on the Berkeley university computer, a computer paid for by public funds. Complain to them first. BTW, I think ITAR is irrational also. > > I only have to name one Good Virus (tm) to prove you wrong, > True, but you have also to prove us that it is Good (tm) and that it > is a Virus (tm). :-) You're right, and to prove that it's a Good Virus (tm) I would need to have a clear defintion of both "good" and "virus". It seems that both of these words are in debate currently. But, in this case you have already declared it a virus, that leaves the good part. I think it might be clearer on my part to say that it has the capability for usefullness, while having a limited capability for harm. I'd quote what the dictionary had under the word "good", but it's lengthy. > > and I have. > No, you have not. Stealth_Boot.D (the standard CARO virus name for the > virus you are discussing) has an infection mechanism similar to Stoned > and causes damage in similar environments. Also, in a previous message > of mine I listed a few other cases in which this particular virus is > harmful. So, no, it is not a Good Virus, and you still have to prove > your claims. But there are many programs that can cause damage in the some enviroments, I'm sure you can think of more than a few. - ----------------------------------------------------------------------- '66 Kombi | Gimme my old cars any day | ,__o '65 Chevelle | but, | _-\_<, '63 Dart | I need a new bike! | (*)/'(*) '88 Ritchey | | bradleym@netcom.com finger for PGP public key Hayward, CA ------------------------------ Date: Thu, 07 Jul 94 11:49:30 -0400 From: bchant@enp.umd.edu Subject: a "Benificial Virus" Would a "Benificial Virus " not just be a program? Bryan Mx%"BCHANT@ENP.UMD.EDU" ------------------------------ Date: Thu, 07 Jul 94 12:44:27 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Integrity Checking Bill Lambdin (bill.lambdin@pcohio.com) writes: > Myself. I prefer an integrity checker that has an option that saves the > integrity datafiles to diskette. so I can boot clean once or twice a > week from diskette, and perform a full integrity check. While this is indeed an important property of a good integrity checker, it is not the only one that is essential. > The integrity data files stored on the hard drive are open to attack by > viruses. Only if the viruses are able to find them there. The integrity checker does not have to make it easy for them to do so, although, regretably, many do. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 07 Jul 94 13:59:41 -0400 From: fletcher@bud.peinet.pe.ca (Scott Fletcher) Subject: virus in jpgs Hello everyone, I just finished talking to someone who said that virus's can be hidden and released from jpgs. It is the first time I have ever heard of this. Has anyone else heard of this and if so, is there any virus protection currently available that will check jpgs? Any comments or suggestions would be appreciated. Scott Fletcher - -- |===========================================================================| | Scott Fletcher || End User Support | | fletcher@bud.peinet.pe.ca || 902 892-7346 | |===========================================================================| ------------------------------ Date: Thu, 07 Jul 94 14:35:07 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Virus Simulators Burton.Weatherford@Syntex.Com (Burton.Weatherford@Syntex.Com) writes: > Mr. Skulason stated that virus simulators were *not* intended to set off avs > scanners. Well, at least *some* simulators (e.g., Doren Rosenthal's) *are* intended to set off the anti-virus scanners. Frisk's point was that, since they are not viruses, any such setting off should be considered as a mistake and indicate an imperfection of the respective scanner. > If this is the case what can a company use to evaluate various avs > products so as to decide for themselves which scanner scans faster, is more > accurate, uses less memory, etc., and not have to reley on marketing hype? You don't need any special additional programs, in order to evaluate which scanner scans faster and which uses less memory. Just request an evaluation copy of the scanners you are trying to chose from, and run them on a large and full hard disk - this way you'll be able to measure their speed yourself. Testing the memory requirements is only a little bit harder - you'll need a small TSR program that reserves an indicated amount of memory on your computer, so that you can determine with how much (how little, actually) memory a scanner will still run. One such program (EATMEM) is included in a shareware package of memory-inspecting utiltities, called TSR25COM or something like that, which is available on the ftp sites. Now, testing the detection rate and the accuracy - in short, the anti-virus properties - of a scanner is a completely different story. You will need a competent anti-virus researcher with a large and well-organized virus collection - don't even dream to perform such test yourself. The problem of finding such anti-virus researcher, who is independent (i.e., doesn't have an anti-virus product to sell), is left as an exercise to the reader. :-) Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 07 Jul 94 14:55:44 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Virus Simulation Dr. David B Hull (dhull@nunic.nu.edu) writes: > In particular, Rosenthal Engineering' s Virus Simulator, does a > reasonable job and I have used it repeatedly in teaching anti-virus > and computer security tactics. It is a very misleading product and the fact that it has succeeded to mislead you shows how harmful it can be. > It allows students to actually > detect a "virus" and get the feel of the various scanners on > the market. No, it fools the students that they have detected a virus - because what it generates are not viruses (with one exception; I'll treat it later). It would be fine if you want to show the students how easy it is to fool some scanners to cause a false positive, but the way the product is presented is not for such purposes. And fact is that you are not using it for such purposes - i.e., it has succeeded to fool you too. > It provides experience in eradicating viruses, and > allows a complete walk through of a security system. No, it doesn't. What it generates are not viruses. Therefore, those files cannot be disinfected. They can only be deleted, but, I repeat, they are not infected. So, what kind of experience do your students really get? They learn that when a false positive occurs (what they think is a virus), they should delete the non-virus files from the system. A very valuable experience, indeed. > I would > not try a hospital fire drill with a full scale real fire; but then I > wouldn't consider a fire drill complete unless I have the > fire marshalls outside in the parking lot extinguishing a > fire in a 55 gallon drum, under supervision of the fire > department of course. But you certainly wouldn't consider as sufficient or even useful to do the training by using a wooden imitation of the fire extenguisher, "using" it on a piece of paper on which you have the word "FIRE" written with big, red letters, would you? Because, this is the kind of simulation that Rosenthal's simulator provides. > I must also agree, however, despite being touted as a means > of evaluating various scanners; it probably is not the best way > of doing this. It is, indeed, completely useless for those purposes. No, worse, it is even harmful, because it could create a false sense of security, or cause the "evaluator" to reject a better scanner, that happens not to detect the non-viruses generated by the simulator. > On the other hand, should I tell my students to > believe what is written on the scanner packages ? Certainly not. What you need, is to design a good, well-organized, hands-on course with real viruses, in a strictly controlled environment. We are providing such experience to our students and several anti-virus companies (S&S International and Sophos, for instance) offer such training courses. Regards, Vesselin P.S. I almost forgot. As I mentioned above, Rosenthal's so-called "virus simulator" generates mostly non-viruses. With one exception. The registered version of the simulator comes with two live, MtE-based real viruses. You have to exercise on them the same kind of care that you do with other real viruses - to prevent your students from accidentally releasing them, or from knowlingly stealing them, modifying them, and using them for some malicious purpose. Well, since you have to do this anyway with any real virus, why should you pay for Rosenthal's simulator? Consider the ethical side of sponsoring the virus writers by bying their viruses... - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 07 Jul 94 12:44:47 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: OS/2 Viruses? Are there a (OS/2) Bill Lambdin (bill.lambdin@pcohio.com) writes: > I know of one OS/2 virus. There exists at least one more. > It was published in an issue of 40HEX. This virus is a stupid non > resident direct infector. .and an overwriter, on the top of that. And it wouldn't even work, if compiled as the article in 40Hex suggests. Obviously, as it often happens, the virus author has not bother not only to test his creation - - he has not bothered to even to run it at least once. > I have heard that there is another (resident) OS/2 infector, but I > haven't seen this virus, and it may not exist. It exists, but it is not resident. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Wed, 06 Jul 94 17:23:01 -0400 From: Matias_Piccione@south-america.notes.pw.com Subject: Filler Virus problem (PC) Does anyone know how to deal with it ? (I've found it in a client's machine) If you scan the CPU a several times, you only find the virus sometimes, due to its stealth techniques. (The programs that detected the virus are the following: Scan 113 & Scan 115, and Dr. Salomon's Findviru) I've tried the following: 1. Boot from a clean, write-protected diskette 1.1 Scan (115) the hard disk 1.2 Findviru (S&S Dr Salomon's AV) - -- No virus found --- (Ok, the virus is not memory resident because I boot from diskette) 2. Cleanpar 3. Fdisk /mbr - -- Well, I hope I defeated him ! -- I restarted mi PC, and run Scan 115 a couple of times, but again the following message was displayed: "Scan detected Filler virus resident in memory. Please turn off your computer and re-boot from a clean write protected diskette to evaluate the hard disk damage" Any idea or comment would be appreciated. Thanks in advance Mat!as Piccione Price Waterhouse & Co. Bs.As., Argentina e-mail address: Matias_Piccione@south_america.notes.pw.com (you can add: "@ Internet" at the end of the line) ------------------------------ Date: Wed, 06 Jul 94 23:56:05 -0400 From: simon@sgp.hp.com (Simon Chong) Subject: Help ! virus Genb is killing us all (PC) Wonder if anyone come across Genb that attacked on the boot sector of floppy diskette. It certainly appears harmless .. It seems to goes along with Genp which stick on to the boot sector of hard-disk but can be remove using McAfee Clean v115. (issue in June 1994). But the same McAfee Clean v115 does seems to be able to clean the virus [Genb] on the floppy .. just seems to hang there. Could this be another McAfee Clean's bug ?? Any idea out there for an alternative ? This nasty little (call it so as we still don't know what effect it has on our system) virus is spreading like an epidemic --- flu ! Hope someone cud provide some pointers :-( =================================================================== Simon Chong (Consultant) Telnet : 520-6495 PSO Hewlett Packard (Sales) Tel : 65-290-6495 150 Beach Road #29-00 Fax : 65-296-8864 Gateway West Singapore 0718 Internet : simon@hpss2.sgp.hp.com - ------------------------------------------------------------------- ------------------------------ Date: Thu, 07 Jul 94 08:15:57 -0400 From: "The Radio Gnome" Subject: Re: WSUPDATE question (PC) Vesselin Bontchev writes: >> BTW, how is a program like WSUPDATE (Novell Netware) classified? > >What does it do? Automatic software distribution, like rdist(1) does >in the Unix world? Then it can provide very convenient means for a >virus to spread. WSUPDATE is used to write the latest versions of network programs to workstations. Most often used to update old network shells. If a shell program on the server got infected, then WSUPDATE would become an unwitting vector for spreading the virus/trojan, although this is an unlikely scenario. >> I just posted a note on the Novell list about using it to control DOOM >> and other nuisance net games. > >Sorry about the off-topic message, but I happen to disagree with you >here. DOOM is a very fine game and the latest version (1.2) does not >cause network overload like version 1.1 and below used to. I guess the DOOM being flamed on NOVELLR was the older nethogging 1.1. Other high traffic IPX/IP based games garner the scorn of Netware sysadmins because they run from the workstation (on diskette sometimes) and not the file server. Managers worry about infectious PD/shareware games that either infect the users files or are poorly written network-wise. The latter problem causing performance problems on the wire or even packet storms. Andy Wing - Temple University Computer Services ------------------------------ Date: Thu, 07 Jul 94 08:53:38 -0400 From: hazen@phoenix.cs.uga.edu (Mark) Subject: NLM Scanner Query (PC) We're trying to decide what would be the best all-around Novell NLM to license for our campus to manage active virus scanning. We're testing both Central Point's NLM, as well as Net-Prot (F-Prot's offering). Our campus standard is Netware 3.12. What we're intersted in is responses from people who have installed these, or other software packages, and have bugs, problems, positive notes and/or recommendations, caveats, etcetera. We require the following features: -Active scanning of all executables run from or stored on the network machine -Daily scheduled scan of the network machine -Automatic removal of questionable materials to a safe directory What we'd -like- is: -Daily scans of all user machines during login, maybe more than daily for those who log in frequntly. -Passive scans of files and the system; i.e. when the system has a low load, maybe background scanning of all files or archives -Bells and whistles Please feel free to repost this message to your own campus (Please do! We need all of the responses we can get). If you have any input at all, please feel free to let us know what you've seen/think/believe. Thanks, -Mark - -- :Mark Hazen hazen@phoenix.cs.uga.edu :Family & Consumer Sciences mhazen@hestia.fcs.uga.edu :Human beings were created by water to transport it uphill. ------------------------------ Date: Thu, 07 Jul 94 11:36:17 -0400 From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) Subject: re: Server Downing Viruses (PC) From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Server-Downing Viri (PC) >Except Jerusalem.Standard. It will hang the workstation, because it uses >an "Are you there?" call that conflicts with Novell NetWare's printing >services. Well if you are running Netware 3.x or 4.x this is true but not 2.x, Lantastic, or other competing networks. Interesting thought: A few years ago a friend of mine made quite a noise about the Jerusalem and Novell 2.x. Novell denied it and at one point threatened my friend with legal action but later dropped the subject. Coincidently, when 3.x was introduced it just "happened" to use the same interrupt function that the Jerusalem.standard did so that logging into a server would crash the infected workstation. (However the Jerusalem derivative "Sunday" used a slightly different function & is happy with Netware). Warmly, Padgett ps no virus that I know of infects Netware (the OS running on a Novell server), only files that are stored by it. ------------------------------ Date: Thu, 07 Jul 94 12:27:55 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Monkey Virus (PC) Ruben Arias (ruben@ralp.satlink.net) writes: > Would you please detail wich Anti-Viral Package is in use in your machine ?? > Thats in order to stablish what kind of product(s) detect Monkey virus > in memory. The program KillMonk3 is able to detect and deactivate the Monkey viruses (and also the Int_10 viruses) in memory and to identify and remove them from the disk(s). It is available free of charge from many anonymous ftp sites, including ours: ftp.informatik.uni-hamburg.de:/pub/virus/progs/killmnk3.zip Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 07 Jul 94 12:40:50 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Thunderbyte Antivirus (PC) Joe Norton (al026@yfn.ysu.edu) writes: > ML> No doubt, Thunderbyte is better than all others I know. > > It is the fastest, and it probably detects more than anything > else. It is indeed the fastest, but there are several other products with a better detection rate than it. One of them is F-Prot. > It does give off a lot of false alarms though. Hm, this is not my impression... TbScan's heuristic analyser seems to be very well designed and gives an anazing low number of false positives for its high detection rate. Make sure that you use the "autoheuristics" or "noautorheuristics" modes and NOT the "high heuristics" mode which is rather paranoid and will give false positives. > Where I work at we use F-Prot. F-Prot is just as effective at > detecting any of the common viruses, it is better at cleaning > them, and costs a *LOT* less. According to my tests, it also has a better detection rate than TbScan, although the difference is not a very big one and both scanners are in the "excellent" range (i.e., detection rate of 90% or above). > I do wish F-Prot would add > a small thing for imunizing drives like TBUTIL -im though. Consider Padgett's DiskSecure II. It does approximately the same thing and is freeware. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 07 Jul 94 12:41:15 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: MtE Virus info wanted (PC) Bill Lambdin (bill.lambdin@pcohio.com) writes: > Dr. Solomon'a Anti-Virus Toolkit (commercial) > F-Prot FP-212C.ZIP > Integrity Master I_M222.ZIP > McAfee's Scan SCN-116.ZIP > SCN202.ZIP > These and many others can detect MtE reliably. I'm sorry, but, according to my tests, none of the above products detects reliably all known MtE-based viruses. In particular, McAfee's SCAN 2.02 is extremely bad in this aspect. Please, consider revising your tests to use more replicants and a richer set of MtE-based viruses. Also, I remember that there have been claims here that Norton Anti-Virus version 3.0 must be able to detect all MtE-based viruses reliably. Now, that I have finally managed to test it, I have to say that this is not the case. It does not detect reliably at least four MtE-based viruses. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 07 Jul 94 12:47:30 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: ** Date recovery after Mi (PC) Bill Lambdin (bill.lambdin@pcohio.com) writes: > To recover these extended partitions, you will have to re-construst the > the partition tabel information. Re-constructing the partition table information is the easiest thing to do after a Michelangelo attack. The real trouble comes when you try to recover the overwritten *data*. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 07 Jul 94 12:49:49 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: NAV 2.0 gives false "Maltese Amoeba" alarm (PC) Oleg Nickolaevitch Kazatski (kazatski@kartaly.chel.su) writes: > NAV 2.0 indicates that my machine running MS DOS 5.0 has the > "Maltese Amoeba" virus in two files but I can not find any viruses in > this files. I suspect this is a false alarm. It is, indeed, and a very old and well-known one at that. Besides, NAV 2.0 is a really obsolete scanner and is not supported any more. If you inist on using NAV, at least consider upgrading to a more up-to-date version. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 07 Jul 94 12:59:23 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Norman Virus Control (PC) Guffey, Steven W. (sguffey@pafosu1.hq.af.mil) writes: > Has anyone used/evaluated this product? Yes, I have. However, the copy given to us by Norman suddenly stopped working with a message "This DEMO version has expired". Since we do not evaluate crippleware, test results for it will not be included in the comparative scanner tests that we are about to publish. I could share with you my overall impressions of the product, however. I mean, the one I got while it still worked. > If so, what did you think of it? A moderately useful product. Contains a scanner, resident scanner, behaviour blocker, and boot sector restoring program. Does not contain an integrity checker, unless you classify the boot sector restoring program in this category. > They claim to be able to detect 99%+ viruses. Has anyone been able to test > this claim? Rubbish. Their detection rate is about 75%. Better than NAV 3.0 but worse than McAfee's SCAN. Also, they used to claim to be TOAST - "The Only Anti-virus Software That detects Statan Bug". Too bad that they can't substantiate their claims. There might be programs that detect this virus reliably, but this one is not one of them. The virus infects also device drivers, but the scanner does not look for it there. > Is the virus database (V-base) accurate? (Or at least more accurate than VSUM) Almost *anything* is more accurate than VSUM. :-) Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 07 Jul 94 13:05:01 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: CRC values (PC) Bill Lambdin (bill.lambdin@pcohio.com) writes: > Here are CRC values for executable files in the following list of virus= Bill, as I already explained you in another newsgroup, this information is totally useless, because: 1) You could simply post a listing of the archives, which includes a CRC-32 checksum. It provides at least as much authentication (i.e., almost none) as two CRC-16 checksums. 2) It is trivial to forge a CRC. 3) You should have posted a secure hash instead (MD4, MD5, or SHS), and should have clearsigned your post with your PGP key - and even then you would have provided as much authentication, as the users are wiling to trust your public key. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 07 Jul 94 13:15:39 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Killed the Monkey Virus (PC) Vesselin Bontchev (bontchev@fbihh.informatik.uni-hamburg.de) writes: > of yours, may I kindly suggest that you check your facts first (and > carefully!) before posting information that could mislead some less > experienced people who might happen to read it? Thanks. > Of course there are. Most of the virus body in the floppy boot sector > or the hard disk MBR is unencrypted and a scan string from it can be > picked easily. It is the *original* MBR that is encrypted, but even > then the encryption is trivial (XOR with 2Ah). As one reader pointed out to me in private e-mail, I should have taken my own advice. :-) The encryption is done by XORing with 2Eh, not with 2Ah. Sorry about the confusion that the above typo might have caused. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 07 Jul 94 13:22:25 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Stealth Virus size-hiding technique? (PC) dave nikuya (dnikuya@netcom.com) writes: > size, etc. My question is: assuming that they have not added so much > size to the infected file that it requires more clusters (and would > therefore set off alerts from CHKDSK et.al.), would it not be easier > and just as effective to simply change the size recorded in the > directory back to the original size? No. If the directory entry indeed indicates a smaller size (as opposed of being only "spoofed" during the directory inspecting operations only), then DOS will load only part of the file when it is executed - as much of it as the directory entry says there is. Most viruses are at the end of the file, which means that the virus will not be loaded in memory when the file is executed. However, since the file entry point is modified to point to the virus code (which is not loaded), this means that at runtime it will point to garbage (what happens to be in memory) and the infected program will crash. An alternative approach is to put the virus in the beginning of the file and store the overwritten (original) part of the file after the end of the file indicated by the directory entry. This is a viable approach, and at least two virus families are using it - the Number of the Beast and Necropolis viruses. However, the approach is much more difficult to implement. Also, it would mean that if you copy the file when the virus is not active in memory, you won't copy an essential part of it, and the copy will crash when executed. This is exactly what happens with the viruses mentioned above. (Well, some variants are intelligent enough to exit to DOS, instead of trying to run the garbage code, but the outcome is the same - the copy of the program does not work any more.) Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 07 Jul 94 13:31:37 -0400 From: as194@cleveland.Freenet.Edu (Doren Rosenthal) Subject: Rosenthal Virus Simulator VIRSIM2C.ZIP (PC) dhull@nunic.nu.edu (Dr. David B Hull) wrties >I have to disagree about the usefulness of virus simulations. >In particular, Rosenthal Engineering' s Virus Simulator, does a >reasonable job and I have used it repeatedly in teaching anti-virus >and computer security tactics. It allows students to actually >detect a "virus" and get the feel of the various scanners on >the market. It provides experience in eradicating viruses, and >allows a complete walk through of a security system. I would >not try a hospital fire drill with a full scale real fire; Thank you for your very positive comment about my Virus Simulator on Virus-L. Your useful application of my Virus Simulator for training and demonstrations is exactly its intended purpose and I appreciate your sharing that publicly. >I must also agree, however, despite being touted as a means >of evaluating various scanners; it probably is not the best way >of doing this. On the other hand, should I tell my students to >believe what is written on the scanner packages ? Yes. Virus Simulator is not a substitute for testing with a comprehensive collection of real viruses and its limitations are described in the documentation. >For $25 for a single user license; it is a lot nicer than the >FORM virus I used to use for training - and let's you sleep at >night too. The current shareware version of Virus Simulator is VIRSIM2C.ZIP and is available from most BBS's, ftp sites and ASP vendors. Registered users now receive three additional supplements described in the documentation. Doren Rosenthal, member ASP & ASAD as194@cleveland.freenet.edu Rosenthal Engineering P.O. Box 1650 San Luis Obispo, CA USA 93406 - ------------------------------------------------------------- ------------------------------ Date: Thu, 07 Jul 94 13:34:06 -0400 From: as194@cleveland.Freenet.Edu (Doren Rosenthal) Subject: Rosenthal Virus Simulator (PC) Ian Douglas wrote: >IMHO, there is no such thing as a benign virus - if it replicates, it >has to either create files (companion) or mess with existing files, >BS, or FATs. When it does so, it ceases to be 'harmless' and starts >causing damage. Not necessarily as the Virus Simulator MtE supplement first supplies its own host sample files to infect. At first only two samples are infected with a virus based on an actual Dark Avenger mutation engine that has been made safe and benign. When the (clearly marked) infected test samples are executed, they announce their intention and if given the users permission, will intern infect (only) the other host files supplied on the floppy disk. The Virus Simulator MtE supplement virus therefore has both the permission of the user, and the consent of the copyright holder (me) of the host files it modifies. Clearly, these are real polymorphic viruses that are safe, harmless, controlled, serve a useful function, and ..... are BENIGN Doren Rosenthal ------------------------------ Date: Thu, 07 Jul 94 13:34:23 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: BIOS Virus Protection, and Checksumming (PC) Jim Gallegos (Jim_Gallegos@Sterling.Com) writes: > In reading prior appends on using BIOS-based boot sector virus > protection, I get the slight impression that it is not a desirable On the other hand, those protections often display messages that are confusing the inexperienced user. One such product says "Chip Away Virus Enabled". What it reall means is that the virus protection called "Chip Away Virus" (i.e., a chip to keep the viruses away) is enabled. Unfortunately, this leads to phone calls from scared users, who complain that "Some virus called 'Chip Away' just displayed a message that it has enabled itself on my computer. How do I remove it? What does it do?". After you get a few hundreds of such phone calls, you'll begin to doubt whether that famous BIOS-based virus protection is really such a good idea. Similarly, some BIOS-based virus protections just write-protect the boot sectors. Unfortunately, in many cases there are pretty legitimate reasons to modify a boot sector - for instance, when you format a floppy, or when you are re-partitioning your hard disk, or even when installing some security product. In those cases, the protection usually displays some kind of message, which eventually leads to a phone call to the tech support team - unless the panicked user decides to handle the problem themselves and simply formats the hard disk. :-( > I would also like to "baseline" my systems by scanning executables > after installation and computing a checksum/etc. and then periodically > performing a re-scan to see if there any changes (that I didn't cause > myself, that is!). Does anyone know of such a utility? (I think CPAV > does this, but I am not sure). CPAV indeed does it, but in a terribly insecure way. Don't rely on it. Better consider some other products, like Untouchable or at least Integrity Master. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 07 Jul 94 13:42:24 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Help ! virus Genb is killing us all (PC) Simon Chong (simon@sgp.hp.com) writes: > Is there anyone who come across a vacine for a virus called 'Genb' ? Well, the same vir us > when attack on the harddisk is called 'Genp' - that's what the McAcfee virus scan s/w s ay There is no such as *the* Genb/Genp virus. This is a way of SCAN to tell you "There is something very suspicious in the boot sector / master boot sector of this disk, and I am pretty sure that it is a virus, but I have no idea which particular virus that might be". > At moment, only solution is to reformat the floppy diskette. Or running SYS on it. > Anybody care to give some ideas what we could do - will be much appreciated My suggestion is that you use a different anti-virus product - one that has better virus identification and removal. Give F-Prot a try - it's an excellent one. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 07 Jul 94 13:48:15 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: How can I delete "Keypress" (PC) Yuan Jiang (yjj@eng.umd.edu) writes: > My disks are infected with "Keypress" when I use "scan", but > "clean" does not clean it. What should I use? A better scanner/remover. There are at least 23 different variants of Keypress. I can't help you, if I don't know which one exactly you have. Try running F-Prot 2.12c - it can detect all the 23 variants, identify most of them, and disinfect 19 of them. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 07 Jul 94 13:44:23 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Jack the Ripper (PC) amato@hei.unige.ch (amato@hei.unige.ch) writes: > We are looking to find an anti-virus that is able to clean the "Jack the > Ripper" virus. F-Prot version 2.12c should be able to remove this virus. However, be aware that the virus is very destructive - it slightly corrupt the information on your hard disk, and there is no way to determine which parts exactly have been corrupted. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 07 Jul 94 13:53:46 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: need help with kampana virus (PC) Cliff Landesman (clandesm@panix.com) writes: > and it reported the kampana virus in memory. How do I reboot from a clean > boot disk? My DOS 5.0 came with the used computer I bought and I only > have the orginal diskettes for DOS 4.0, not 5.0. I'd like to keep 5.0, if > possible. If I install 4.0, will I lose 5.0? You don't have to *install* version 4.0. Just boot from the DOS 4.0 system diskette, without installing the operating system on the hard disk, and then run F-Prot from a floppy. > How serious is the kampana virus? Depends on your definition of "serious". On the 400th boot from an infected disk, the virus will overwrite all sectors of this disk with the contents of the interrupt vector table. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 07 Jul 94 13:55:47 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Possible virus? (PC) slb96@cc.usu.edu (slb96@cc.usu.edu) writes: > Forgive me if this is not a virus, but I feel that it is. About 5 or 6 months > ago I turned my computer on and got an error, HD Controller Error. Since then [symptoms deleted] > So I guess it all > boils down to this question, Might I have a virus? Almost certainly - no. Sounds pretty much like a hardware failure of some sort. Could be that your hard disk is faulty, or that there is some kind of incompatibility between the different cards in your computer. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 07 Jul 94 14:09:15 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Re| VIRSTOP 2.12 Freezes PC (PC) Kazatski Oleg Nikolaevitch (kazatski@kartaly.chel.su) writes: > > right. The exact reason....uh, well...Virstop uses some "dirty tricks", a > > 386max does too....and those tricks are mutually incompatible. > What is this "dirty tricks" ? VirStop uses interrupt tracing and the extended memory managers like 386MAX, EMM386, or QEMM can use memory shadowing. Those techniques are pretty incompatible with each other. Do you feel better now? :-) > > Virstop work on old Cyrix 486SLCs (which are not 100% Intel compatible) > Why ? That Cyrix CPU has a hardware bug that only appears in single-tracing mode. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 07 Jul 94 14:25:46 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: FORM and Spanish TELECOM (PC) Henrik Stroem (hstroem@ed.unit.no) writes: > If using the BootManager, Form will infect the BootManager partition. > Removal consists of booting OS/2, running FDISK, removing BootManager > from partition table, then creating it again (without exiting), then > adding bootable entries. Tedious; yes. Very; no. [snip] > Removing Form from an HPFS partition is what I would call *very* tedious. It's not *that* easy. :-) I was not talking about just overwriting the infected boot sector with something else. Recall that when Form infects the hard disk, it overwrites the last two sectors of the active partition with the second part of its body. This could corrupt the file system, if the active partition is not a DOS FAT system - which is exactly the case when BootManager or HPFS are used. In particular, a BootManager partition becomes non-bootable, so the user must boot OS/2 from a floppy, remove, and then recreate the BootManager partition. A HPFS system can become corrupted. In both cases, it is better to use anti-virus software that knows about those problems with Form and handles them properly. One such program is IBM Antivirus. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 07 Jul 94 14:44:32 -0400 From: tweaver@cs.UMD.EDU (Tom Weaver) Subject: "AntiCMOS" virus cleaner? (PC) The University of Md (including the dept I work in, botany) has had an outbreak of a virus identified as "AntiCMOS" by fp-212, and "lenart" by CPAV. CPAV claims to clean it - does anyone know anything about the virus and if other packages can clean it off (I don't wanna by CPAV just for this)? It seems pretty nasty... Tom Weaver ------------------------------ Date: Thu, 07 Jul 94 09:27:06 -0400 From: bondt@dutiws.twi.tudelft.nl (Piet de Bondt) Subject: tbav 6.21 released and available by FTP (PC) Hi, I just got the latest TBAV (Thunderbyte anti-virus) v6.21 from the authors. A full working windows version (until now it was merely a front-end) will be available soon. The files are available on: 1) Primary site: ftp.twi.tudelft.nl:/pub/msdos/virus/tbav 2) Secondary sites: oak.oakland.edu, garbo.uwasa.fi, nic.funet.fi These last two Finnish sites only have the complete package (nic.funet.fi will mirror the rest tonight) 3) Mirrors of the above mentioned sites. New features and virusses that are included: (whatsnew.621) Update report of Thunderbyte Anti-Virus utilities. Prefixes: '-' indicates a change that does not require user attention. '->' indicates a modification that requires user attention, such as a change in program invocation, etc. *** NOTE *** NetWork administrators, read the TBAV.Doc file for information about a fast and reliable way to update all workstations automatically! 6.21 Product update - ------------------- General information: - TBAV for Windows is now available! The archive name: TBAVW621.ZIP. - Most TBAV utilities have been optimized and prepared for future enhancements. - Format of the signature file has been changed. TbScan: - Optimized and enhanced the new features of the 6.20. TbScan is now faster and smaller. - Improved the generic decryptor. It can now handle more exotic encrypted files. - Solved a bug in the new generic decryptor, causing TbScan to fail to detect all instances of a few polymorphic viruses. - Solved a bug in TbScan 6.20 which caused it to fail to detect some viruses in memory. - Revised the signature detection logic. Due to the major changes in TbScan 6.20, some generic signatures were detected before some more specific signatures, resulting in a less-acurate virus naming. TbScanX: - Enhanced option 'AllExec'. You may now specify the drives on which TbScanX should scan programs when they are about to be executed. Default without options are drive A and B, with option 'AllExec' programs on all drives will be scanned, unless the drives are specified. Note that option 'AllExec' only applies to the execution of files: when files are copied, modified or created TbScanX will always scan, no matter which drives are involved. The idea behind option 'AllExec' is that programs which remain on your harddisk don't need to get scanned everytime. They have been scanned already by TbScanX when you copied them to your harddisk. Files which remain on diskettes or CD-roms may not have been scanned, so they need to be scanned before DOS executes them. With the enhanced option 'AllExec' you can now specify yourself which media is 'trusted'. TbDriver: - The new 'lcd' option of 6.20 did not work as expected. Corrected. - Added a new option 'freeze' (j) to keep messages on the screen. TbDriver will freeze the machine when a TBAV message is displayed. - TbDriver now establishes a temporary critical error handler before reading an AV record. TbKey: - Now generates additional key information for compatibility reasons. This solves key authorization problems on non-DOS systems. Viruses: - Removed signatures: EMF.683 Replaced by Screaming_Fist.I.683 Gippo.Bumpy Now covered by generic Gippo signature Gippo.Earthquake Now covered by generic Gippo signature Gippo.EpidemicWare Now covered by generic Gippo signature Gippo.Stunning Now covered by generic Gippo signature - Changed signatures: Andromeda Now detects a new variant Astra.1010/1556 Now also detects the 1556 variant Backfont Now detects a new COM variant Burma Now detects a new variant Como Now detects a new variant Cossiga Now detects a new variant DAME:Trigger Now detects a new variant Firefly Now detects two new variants Icelandic Now detects a new COM variant IVP {1} Now also detects IVP.Wild_Thing July_13th Now detects a new variant Natas Now detects all samples Offspring Now detects a new variant Peanut Now also detects it in the bootsector SMEG Now detects 100% of 100.000 test samples! VCL.Succubus Now detects all samples VVM Now detects some new variants - Added signatures: _484 _641 _945 Alien_2 Garbage Ancient_Page Anti_Print Arara ASStral_Zeuss (Dropper) Beethoven Bengal Berlusca Black_Knight Bloody_Warrior Bomb (Trojan) Boobs BW.Archer BW.Lotek Carpe_Diem Cascade.1491 Cascade.Fica Cascade.Yap Chaos.1241 Chess Chill Civil_IV Cluster2 Cybertech {2} Da'boys (Trojan) Dark_Apocalypse Dec3 DR-ET DS-512 DSME:Connie.A DSME:Connie.B Eternity Fax_Free.Abstract Fax_Free.Darkover Fax_Free.Standard Fax-Free.Sultan Feeblemind Feist_II Gippo.Cacofony Gippo.Sunrize-A Gippo.Sunrize-B Golgi {2} Grog.216 Grog.4ever Grog.518 Grog.647 Grog.757 Grog.774 Grog.798 Grog.800 Grog.801 Grog.926 Grog.1016 Grog.1089 Grog.1142 Grog.1207 Grog.2010 Grog.2075 Grog.2825 Grog.Delirious Grog.Enmity Grog.Outwit HLL.Virms HLL.Warm-V IMI Int80 Ironhoof Italian_Boy IVP.April Jackel.1 (Trojan) Jackel.2 (Trojan) Jackel.3 (Trojan) Joker_III Junkie Kali-4 Keeper.Acid Keeper.Lemming Knight Kohntark KYZ Lame Leprosy.5120 Leprosy.AoD Lisa Maaike MadWill Marzia.2 Max Midnight Minosse Mirror {2} MK_Worm Monika Monte-Carlo.1491 Monte-Carlo.1549 MTZ.1_0 MTZ.Overkill (I/II/IV) MTZ.Xandu MTZ.YKK Mudshark Mutagen No_Limit Nympho Nympho.Geodesic Paradis PCBB.1720 Playgame Polifemo Predator.1072 Proto-T.Ritzen PS-MPC.Greetings Psichosis Qdris Quadratic.II Raptor Rest Riot.1203 Riot.Enemy Riot.Evil Riot.Marked Riot.Moonlite Rubbit.681 Rubbit.1018 Rubbit.2060 Rubbit.3811 Rubbit.3839 Screaming_Fist.I.683 Screaming_Fist_III Sex_666 Shira Simplex Singapore Stardot.979 Sundevil SZE T-1400 Tashkent The_Best Thunderdome Toys TRJP V82 Variable_Worm_I Variable_Worm_II VCL.McYellow Vienna.1041 Vienna.W13.534.b Vivat VTech Weirdo Yesterday Z_Rock Zaphod Piet de Bondt. bondt@dutiws.twi.tudelft.nl or piet@kgs.twi.tudelft.nl ============================================================================== FTP-Admin for MSDOS Anti-virus software at anon-ftp-site: ftp.twi.tudelft.nl ------------------------------ End of VIRUS-L Digest [Volume 7 Issue 56] *****************************************