VIRUS-L Digest Tuesday, 2 Aug 1994 Volume 7 : Issue 57 Today's Topics: Re: Good viruses/Bad viruses Re: Good viruses/Bad viruses Re: Benign viruses Re: good viruses? Re: _Fred Cohen and computer viruses Re: good vs. bad Re: Good vs Bad Virus Simulators Stop the Madness Re: Virus Simulation Re: good vs. bad 386/486 Unix virus protection (UNIX) Re: Re| Server-Downing Viri (PC) Re: Rosenthal Virus Simulator VIRSIM2C.ZIP (PC) Re: Server-Downing Viri (PC) Re: Stealth.B Pain (PC) Re: NEEDED: Info on possible Windows virus. (PC) Re: SMEG Junkie (PC) 'Junkie' virus info (PC) Re: Symantec (PC) Norton Antivirus 3.0 updates? (PC) Second AV tool? (PC) Best Anti-virus software (PC) ??? Graphcnv.exe False Alarm? (PC) Current scanners (PC) Re: Athens virus: info needed (PC) Re: Norman Virus Control (PC) Re: First Posting - First Virus heeeellllp (PC) Re: Re| VIRSTOP 2.12 Freezes PC (PC) Re: To all who replied about "where is F-PROT?"... (PC) VIRSTOP with /NOTRACE (PC) Re: _HELP ! (PC) Search for ftp site (PC) tbav621/tbavx621 - Thunderbyte anti-virus v6.21 (complete/optimized) (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CERT.org or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CERT.org (192.88.209.5). Administrative mail (e.g., comments, suggestions, beer recipes) should be sent to me at: krvw@ASSIST.IMS.DISA.MIL. All submissions should be sent to: VIRUS-L@Lehigh.edu. Ken van Wyk ---------------------------------------------------------------------- Date: Thu, 07 Jul 94 15:32:26 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Good viruses/Bad viruses Erwin van Beinum(guest) (evb@hermes.bouw.tno.nl) writes: > My dear sir Vesselin. why bother to communicate with somebody like that. > In my opinion you're a very brave man to do so, but it is so meaningless. My oppinion is that it is not meaningless. The danger of the free and far-reaching communications is that somebody with a wrong set of beliefs can easily repeat them many times to a very large public. A serious part of this public might not have sufficient prior knowledge on the subject, and be easily fooled, by the rule that a lie repeated a thousand times becomes a truth. :-( You see, freedom of speech is a wonderful thing, but with it comes the responsability. We can't censor the jerks bragging publicly about how they are doing "research" while in fact they are writing real viruses and causing harm, without giving up the freedom of speech. Therefore, it is the responsability of those who are better informed on the subject, to speak up and present counter-arguments just as widely. At least then the public will be able to make up their own minds themselves, having the opportunity to objectively select between two points of view. > Don't bother people who try to attack others because they think they are > being attacked. I don't care how they feel about it, but if they are attacking others and spreading half-truths and outward lies, I am going to show how wrong their claims are. > To me it seems > very stupid to do, but the person who attacked you at some non-interesting > points tries to prove himself. .and fails. This result, alone, shows one more time that the people who are defending the virus writers are wrong and their arguments - baseless. I do think that this result has a value of its own. > hope this message is clear enough for all people who consider > that virusses like real 'dangerous' computer virusses or HIV-virusses > can be good. Ofcourse they can. HIV virusses are good against too much > people on this world and computer virusses keep the low level employee > from staying all day behind his or her computer. because the It would be nice if all those who defend the virus writers are expressing themselves in such a clear way. If someone clearly says that his definition of "good" considers the HIV virus "good", because it helps to get rid of the too many people, he clearly states what his ethical positions are, and it is relatively easy for the reader to understand the motivations behing some other of the speaker's claims. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 07 Jul 94 15:41:27 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Good viruses/Bad viruses Gary Jones (gdj@netcom.com) writes: > The issue here is simple: is 'bad' *necessary* in an objective definition > for a computer virus. Is this really the issue? From the discussion so far, I got the impression that it is about whether there can be beneficial viruses. Furthermore, I suspect that there is not (and cannot be) *one* definition for this phenomenon. Dr. Cohen's definition is very useful in one particular area of computational mathematics - yet completely useless (because it is too broad) in the real life. My point of view, so far, is that the sides dicussing this subject should clearly explain what they mean exactly - in simple words, understandable by the general public. It is also important that all attempts to intentionally mix definitions and their area of appliance, in order to cause confusion and to condone the criminal acts of those who write and release real computer viruses, should be spotted and revealed. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 07 Jul 94 15:43:24 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Benign viruses Matthew Johnson (matjoh@delphi.com) writes: > >to entertain the concept, just have not seen any in practice). Have not even > >had to leave home to find something that every virus I have seen screws up. > > I have found one that doesn't--KOH. It reproduces at your command, encrypts > your HD with a password you give it, if you want, and it has NO bugs.. so far. You are wrong. There are several cases in which this virus *does* screw things up and does cause damage. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 07 Jul 94 15:45:25 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: good viruses? Ian Douglas (iandoug@cybernet.za) writes: > IMHO, there is no such thing as a benign virus - if it replicates, it > has to either create files (companion) or mess with existing files, > BS, or FATs. When it does so, it ceases to be 'harmless' and starts > causing damage. Again, you are failling to understand that what Dr. Cohen is talking about is something *different*. His "viruses" do not replicate uncontrollably, do not infect just anything in sight, and do not mess with boot sectors or FATs. In short, they are not real computer viruses. :-) Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 07 Jul 94 15:49:15 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: _Fred Cohen and computer viruses Kazatski Oleg Nikolaevitch (kazatski@kartaly.chel.su) writes: > Are there the electronic variants Dr Cohen's articles and books ? No. He does not consider the integrity of the electronic media to be good enough and does not distribute his works in electronical form. But most of his articles on computer viruses have appeared in the journal "Computers & Security"; I think it should be available in Russia, at least in some technical libraries. > Can I know this definition and Dr Cohen's definition of virus ? It is not easy to express it in ASCII, because it is mostly mathematical formulae, and I am not sure whether posting in TeX would be appropriate for this forum. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 07 Jul 94 16:00:36 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: good vs. bad A.Jilka (jilka@GBAWS4.zamg.ac.at) writes: > Who said, that a virus MUST be bad to be a virus ? Fact is, that all known *real* computer viruses *are* bad. It is certainly possible to create beneficial programs that replicate (parts of) themselves - this is what Dr. Cohen is talking about. Most other people wouldn't call them "viruses", although they do conform to his definition of this term - but then, so does DISKCOPY. > Why does a virus have to modify a program to get active ? (companion) It doesn't, indeed. All it has to do is to (a) replicate and (b) make sure that it is executed in some way. BTW, if your remark is intended to imply that companion viruses are not causing damage - this is incorrect, they do, at least by occupying disk space and otherwise wasting computer resources. If this is not authorised by the owner of the computer system, then it is a wrong thing to do. > Why must a virus replicate 1000 times on a HD to be a virus ? > Isn't is sufficient to replicate once for each media ? (BSV) It is, indeed, and I very strongly suspect that every "beneficial" virus must have "worm-like" behaviour and be present only once on the host computer. BTW, there was some discussion in the past whether companion viruses and boot sector viruses are really viruses or worms. When I reported the first companion virus (TP_Worm), I proposed the term "bacterium", but it didn't stick. Now we are calling them all just viruses. > Therefore some of the bad things which make every virus a bad virus > certainly don't hold. Those are not the only reasons why computer viruses are considered bad. I have collected about a dozen such reasons. > An "official" virus would > have to check the same things. Indeed, a replicating program that claims to be beneficial should do a lot of checks and conform to a lot of rules. Problem is, if you implement them all, the resulting program doesn't look like a real virus any more and wouldn't be considered as a virus by most people. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 07 Jul 94 17:06:19 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Good vs Bad Adam Jenkins (adamj@highett.mel.dbce.csiro.au) writes: > Um yeah but one small thing to point out, I'm not trying to tell > other people what to call things. But then, AFAIK, you are not a computer virus expert, so it is more than fair not to take such a responsibility. > >Those views certainly aren't an accident - they reflect the real losses > >of time, efforts and money that the real people have suffered from real > >viruses. The claim that such a view is in the interests of the > >anti-virus industry is certainly interesting - maybe you can supply > some evidence to back it up? > I wouldn't have thought evidence was needed, just a bit of thought. > Just like people who sell locks aren't going to sell many locks telling > about how school lockers are being broken into and some kids books being > pinched, why would people buy products to kill programs they know very > little about if they knew that a large percentage of these viruses are > relatively harmless? So, your point is that the lock-producing industry and behind the media hype that claims crime to be widespread, right? As I said - an interesting point of view... BTW, the "large percentage of the viruses" are NOT "relatively harmless". Any real virus could easily cause damage under some conditions. This is not so bad by itself, because, more or less, it is true about just any program. However, a virus is a program that spreads itself in an unauthorized way! If you discover that some legitimate program screws up the hard disk on some particular machine, you just won't use it on that machine (if at all). On the other hand, you can't prevent a real virus from infecting a machine on which it will cause damage. Furthermore, unlike the legitimate programs, there are no tech support teams behind the computer viruses. It is even usually unknown what each of them does exactly and under what conditions it causes damage. Therefore, if your company gets its computers infected, it *must* remove the virus - in order to stop its spread and to prevent it from causing unintentional damage. Well, all this virus hunting and checking the company's PCs takes a lot of time and efforts, which eventually translates into a money loss. *This* money loss is the damage I am talking about, and this is what I mean when I am saying that there is no such thing as a "harmless" *real* computer virus. > >system bugs they have snatched from a fellow cracker works, let alone > >how to fix them. Lots of loss of perspective, as it seems... > You're generalising, there are many pursuits in which people are lousy > and yet still call themselves the common name for that pursuit. Yep, wishful thinkning seems to be quite widespread... Especially among the young, uneducated crackers. :-) > Um no but I would expect a criminal who broke into my house when I left > my door unlocked or open to get less time than if he had actually had to > pick the lock or force the door. I would advise you to consult a legal authority on the question. Unless Australian law is very different in this aspect than the law in many other countries, I suspect that your expectation is wrong. > No it will be a long time I would hazard to guess before someone will > devise a beneficial computer virus, KOH seems like a good beginning > though. It is not, because it causes damage just like many other real viruses. And also because what KOH does can be done much more efficiently with a non-viral program. The author of the virus has made in practice the same mistake that several people here make in their reasoning - he has picked a real virus and has tried to add beneficial properties to it. It will never work. Instead, one should proceed in the opposite way - take a beneficial program and consider whether it can be improved by adding some kind of mechanism for controlled replication, without reducing its initial usefulness and without introducing any malicious capabilities. > I am just sick of hearing how evil and widespread viruses are. They are certainly less widespread and less dangerous than the media makes them to look like, but they *are* and increasing problem and they *are* evil in the sense that they are causing damage. > >Is there? Evidence, please. My own statistics show that the most > >widespread viruses have been distributed in some perfectly legal way. > The problem with gathering statistics like this is that for some strange > reason people who pirate software don't like to advertise that fact. They don't have to advrtise it. My point is that usually a virus gets a much wider distribution because somebody has put it in a legally distributed package, even if you consider that all infections with unknown source are coming from pirated copies, which is a large overstatement, IMHO. > And I would guess that the majority of people who find their computer > has a virus would get a copy of an antivirus package and use that to > kill it, not always call you; especially not if they suspect they got > the virus in a pirated game or application. This is also a valid point; in fact it is unrelated to whether they have pirated the program or not. People call us when they have a problem. If their anti-virus defenses are able to successfully deal with the infection, we usually don't hear about it. > >But people do believe all the nonsense that is in the newspapers - at > >least most of them do so. Welcome to the real world. > Welcome to commercial anti virus land. Why particularly anti-virus? When was the last time you have verified the capabilities of a popular commercial encryption program? Do you know what kind of junk do Central Point Software (PC Tools) and Symantec (Norton's Diskreet) sell as "DES implementations"? Readers of this forum have often seen my negative oppinion about the anti-virus packages of those two companies, but I would certainly prefer to rely on their scanners for virus protection, than on their encryption programs for keeping my privacy... It is like that with almost any kind of product, the quality of which cannot be easily verified by the user. > >Oh, yes, the "virus researchers". Who are they? I don't know any > >self-respecting scientific researcher, besides Dr. Cohen, who claims > >that computer viruses can be beneficial. > They are those who are interested in viruses that agree with you it > appears. The others must just be plain evil. Interests in viruses do not automatically make an anti-virus researcher. And those who *are* anti-virus researcher do agree with my positions on this question, incidentally. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 07 Jul 94 17:59:35 -0400 From: Iolo Davidson Subject: Virus Simulators > Mr. Skulason stated that virus simulators were *not* intended > to set off avs scanners. They *are* intended to. They are just useless for the purpose. Some scanners (the poor ones) will react, but they shouldn't, because no real virus is present. If you use these for testing, you will get false results that lead you to select a poor scanner. > If this is the case what can a company use to evaluate various avs > products so as to decide for themselves which scanner scans faster, > is more accurate, uses less memory, etc., and not have to reley on > marketing hype? You don't need viruses to test speed, ease of use, memory requirements, false alarms, and similar issues. You need them to test detection rates and repair capability. Accuracy? How would you know whether one scanner was accurate (This disk has Stoned) and another inaccurate (This disk has New Zealand II)? Hint- in this case, two names for the same virus, both valid in their own naming convention. Multiply by 5000 possible naming conflicts. The world badly needs a testing organisation which is a) competent and b) impartial. Many of the competent tests are biased, if only by the fact that they use a test set of viruses that gives an advantage to one particular product, possibly because the publishers of the product supplied the test set or are closely associated with the person who supplied the test set. This can be regarded as inadvertant. Non-competent tests abound in the computer media, including totally invalid nonsense tests performed on virus simulators. Mark Ludwig/American Eagle are supplying a CDROM full of viruses which could be used by responsible people for testing anti-virus products. It is also very likely to be misused by irresponsible people, but seeing as it is being distributed anyway... According to Virus Bulletin, this CDROM virus collection is a clean library of real viruses rather than the usual underground mishmash of garbage files. > Thanks for any info. We are trying to choose an avs product and > are looking for a product that can test avs scanners. There is no commercial product that does this. If you have a virus collection, it is very simple to run a scanner against it, but much more difficult to make a valid interpretation of the results. For instance, how do you know if a file which is flagged as a virus by one scanner but not by another is really a virus? Which scanner is wrong? Some scanners do flag non virus files as viruses, simply because the programmer knows that a particular garbage file is in someone's test set. He knows it isn't a virus, but he doesn't want to lose points by "missing" it. Is this honest? The scanner that does *not* call the file a virus is correct, but loses points in a test using that test set. While you may well be an unbiased tester, it is unlikely that you will be able to obtain an unbiased test set of viruses, and almost certain that you will not be able to test av software competently even if you do. Vesselin Bontchev is both competent and unconnected with a product. His test results and general recommendations and advice appear here from time to time, and I regard them as being unbiased and of high quality. Competent tests are published by "SECURE Computing" and "Virus Bulletin". I believe that both journals make a great effort to maintain impartiality, but both have some association with anti-virus software publishers. "Virus Bulletin" unfortunately sometimes appears to snipe at one particular well known anti-virus researcher and publisher, which does not contribute to a perception of impartiality, but I don't believe this affects their software reviews. I am technical editor and regular columnist in "SECURE Computing". - -- HALF A POUND SPREAD ON THIN FOR ABOVE THE COLLAR HALF A DOLLAR Burma Shave ------------------------------ Date: Tue, 12 Jul 94 11:27:19 -0400 From: rreymond@VNET.IBM.COM Subject: Stop the Madness Hi Vesselin, how d'ya do? You wrote: >At login time, i.e., whenever a user tries to log in from his/her >workstation, this program checks whether the workstation is running >the latest version of the anti-virus package. If this is not the case, >the program offers the user to automatically update his/her copy from >the server and then to reboot the PC (so that any resident scanners >are reinstalled from the updated versions). If the user does not >accept the offer, then access to the LAN is refused. >Do you see any problems with the above scheme? I don't. You, as the >owner of (or the person responsible for) the network, have the full >right to refuse network access to a workstation that does not comply >to the company's policy of running the latest version of the >anti-virus package. >Well, according to Dr. Cohen's definition, the anti-virus package, >together with the login script and the parts that do the checking and >the copying of the updated versions, is a virus - because it copies >(possibly modified parts of) itself. Do you understand now what I mean >when I am saying that what Dr. Cohen understands under the term >"computer virus" and what the general public understands under this >term, are completely different things? Uh... It's evident that the common idea of a virus and what mr. Cohen has described are two different things... But there's something it sounds me wrong: to be classified as "virus" must not a piece of code to be capable to spread at least one time a functional copy of itself, at its own time capable of repeat the whole cycle? I mean, the first upgrade (from server to clients) seems to accomplish this requirement, so we tend to say "hey, this may be a virus". But, thus, all the so-spreaded copies are *not* in condition to repeat at least one time the process. In this case, then, the virus seems to be *not* the AntiVirus upgrade, but the combination of the upgrade and the script on the LAN. Anyway, even if this can be defined as "virus", it seems (IMHO) that it works only a single time (server to client) and stop. Too less to be a "virus", no? .............................................Bye| ..................................................Roberto - ----------------------------------------------------------------------- * All the above are my own opinions, not necessarily shared by IBM * *********************************************************************** Roberto Reymond IBM PSP - Central Emergency Response Team Semea RREYMOND@VNET.IBM.COM Circonvall. Idroscalo RREYMOND at VNET 20090 Segrate (MI) ITIBM99K@IBMMAIL.COM MI SEG 526 Italy .........Phone +39.2.596.25244 Fax +39.2.596.29587.............. *********************************************************************** * " Another one bites the dust| " , Queen (The Game, 1980) * *********************************************************************** ------------------------------ Date: Tue, 12 Jul 94 11:27:42 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: Re: Virus Simulation dhull@nunic.nu.edu (Dr. David B Hull) writes: >I must also agree, however, despite being touted as a means >of evaluating various scanners; it probably is not the best way >of doing this. it may be usable for some things....but it is not usable for testing scanners (well, except for Doren's MtE virus)....attempting to use it to test scanners in any other way is pointless.. - -frisk ------------------------------ Date: Tue, 12 Jul 94 11:26:13 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: Re: good vs. bad jilka@GBAWS4.zamg.ac.at (A.Jilka) writes: >Who said, that a virus MUST be bad to be a virus ? that is not a part of the definition of virus....it is just the "real world" effect of "real viruses". >Why does a virus have to modify a program to get active ? (companion) It does not....my definition says "it must modify the program or its environment in such a way that execution of the program implies execution of the virus". >Why must a virus replicate 1000 times on a HD to be a virus ? it does not...what gave you that idea ? >Isn't is sufficient to replicate once for each media ? (BSV) >Therefore some of the bad things which make every virus a bad virus >certainly don't hold. huh ? those are not the things that make viruses "bad"... - -frisk Fridrik Skulason Frisk Software International phone: +354-1-617273 Author of F-PROT E-mail: frisk@complex.is fax: +354-1-617274 ------------------------------ Date: Thu, 07 Jul 94 19:55:12 -0400 From: aflynn@netcom.com (Alana Flynn) Subject: 386/486 Unix virus protection (UNIX) I am looking for virus protection software for pc-based unix systems. If there is no such software available on the commercial market, then I would appreciate any suggestions for a convincing argument as to why virus protection software is not needed. By convincing argument I mean something other than the NEARLY zero possiblity of virus infection in unix systems. Thanks in advance, A. Flynn e-mail aflynn@netcom.com ------------------------------ Date: Thu, 07 Jul 94 15:03:47 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Re| Server-Downing Viri (PC) Kazatski Oleg Nikolaevitch (kazatski@kartaly.chel.su) writes: > > There are a few viruses that are Netware-specific, attempt to use loophole > > in some particular versions of Netware, but they are not among those you l > What is this viruses and versions of Netware ? 1) The Jerusalem.GP1.* viruses capture NetWare login packets that contain the password in clear and broadcast this password to a particular node. Novell does not send passwords in clear since version 1.x, I believe. 2) The TrJP virus intercepts an internal function used by LOGIN to communicate the password to the network shell (NETX). This works on NetWare versions 2.x and 3.x; not sure about 4.x. 3) The Yankee_Doodle.TP-44.Login.* viruses also capture passwords at login time, but I do not remember right now how they are doing it and on which versions of NetWare it works. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 07 Jul 94 15:16:26 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Rosenthal Virus Simulator VIRSIM2C.ZIP (PC) Doren Rosenthal (as194@cleveland.Freenet.Edu) writes: > I'm a member of both the ASP and the ASAD and you can obtain the > shareware version of my "Virus Simulator" as VIRSIM2C.ZIP from > most ASP approved vendors and the ASP, JCS and other CD-ROMs. > Also it is available for downloading from most anonymous ftp > sites and simtel and garbo mirrors. VIRSIM2C.ZIP Sadly, this is true. Fortunately, those versions do not include any real viruses, otherwise that would be yet another case of "viruses on CD-ROMs" to worry about. :-( > Registered users receive several supplements in addition to > shareware version. Like two real, MtE-based viruses. How nice, isn't it? A member of the Association of Shareware Professional, selling viruses... > The Virus Simulator MtE supplement generates > real viruses based on an actual Dark Averger mutation engine. Indeed, both Frisk and me forgot to address this point. Thanks for reminding me, it's a good one. So, here it goes. 1) The unregistered version of the product does not generate viruses. Yet, the way it is marketed in, fools the users to believe that it can be used to test anti-virus products - something that is completely bogus. 2) If you decide to pay for it, you get additionally two real viruses. So, the "normal" version of the product is misdirecting the users, and the registered version sells them viruses. A very nice product, indeed. > Users can confirm this for themselves as the samples actually > replicate. Like all the virus samples generated by the Virus > Simulator, they are safe and controlled. Rubbish. They are trivial to modify in a way that they can escape what their author calls "control". Any kid who knows how to use DEBUG can do it, by modifying just a couple of bytes. Additionally, those are not just any two viruses, no. Doren Rosenthal is selling Dark Avenger's Mutation Engine, thus providing a tool to any aspiring virus writer. The MtE is only slightly more difficult to extract from the virus (each replicant of which carries a copy of it), than to disable the "control" mentioned above. > The boot sector virus simulations actually overwrite the boot > sector on the floppy diskette. You can boot from the floppy and > confirm this for yourself. The registered version supplement "B" > does this very dramatically. Anti-virus products that protect > systems from attacks on a boot sector from a virus should have no > difficulty revealing this action. What the above really says, is that he is selling a program that modifies boot sectors. What a great tool for testing anti-virus products, indeed! Microsoft is also selling such tools - they come with DOS and are called SYS and FDISK. Gee, I guess Microsoft is now in the anti-virus testing business... NOT! > Users should simply read the DOC file for themselves to > understand the strengths and limitations of Virus Simulator. Users should read the docs *really* carefully, in order to understand what the product really is and what it isn't. Unfortunately, most users don't do that, as the messages here on this subject seem to indicate. > If an anti-virus program fails to detect one of the files > infected by the Virus Simulator MtE Supplement, it has failed to > detect a real virus based on an actual Dark Avenger Mutation > Engine At least this claim was correct. > that has been made safe and controlled. This one, however, wasn't. > There is certainly room for disagreement here on the value of my > Virus Simulator. There certainly is. I and at least Frisk, seem to think that this value is negative - i.e., that it is not only useless, but also harmful. > read the documentation file, the limitations of this program are > clearly stated, it's not misleading at all. I beg to disagree about the "clearness", but yes, by all means, read it. BTW, does anybody have a probable conjecture why the virus writers that want to make money from their viruses come mostly from the USA? Doren Rosenthal, Mark Ludwig, John Buchanan... There must be some social reason, like for the widespread creation of sophisticated viruses in the East European countries... Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 07 Jul 94 16:23:01 -0400 From: fguidry@crl.com (Fran Guidry) Subject: Re: Server-Downing Viri (PC) Norman Hirsch wrote: >> U56513@uicvm.uic.edu " Christopher Aedo" writes: > >>> Also, which anti virus package is the best one out there these >>> days? > >I recommend McAfee's NETShield, and NLM that has been Novell Tested and >Approved for 3.11, 3.12, SFT-III, NetWare for OS/2 and 4.01. A version of NETShield was deemed responsible for corruption of 3.11 servers in my organization. > It also has the >best detection rates according to the latest versions of VSUM. VSUM is widely described in this group as extremely inaccurate. Is there any business connection between the author of VSUM and McAfee? Most tests I have seen indicate that F-PROT and ThunderByte are much more effective than McAfee in detecting virus infections. >Norman Hirsch Phone: 212-304-9660 >NH&A, authorized McAfee agent Fax: 212-304-9759 Thanks for making your relationship with this product explicit. Fran ------------------------------ Date: Thu, 07 Jul 94 20:34:47 -0400 From: jmccarty@spd.dsccc.com (Mike McCarty) Subject: Re: Stealth.B Pain (PC) Vesselin Bontchev wrote: [stuff deleted] I have been following this group for some time. I was bitten by the Azusa virus, and lost many, many hours recovering. I also have intrinsic curiosity about such matters. I am a systems programmer for large telephone switching computers. I am beginning to recognize some of the people by name here, and respect some of their opinions and expertise. Vesselin Bontchev seems to be a knowledgeable man. His attitude is rather lacking, as represented by this post. )CPAV is total junk. Throw it away and get a better anti-virus )product. This critical attitude is unworthy of the bandwidth it used in transmission. I would rather see you offer helpful suggestions, esp. to the people at Central Point, encouraging them to improve their product. [stuff deleted] )> 3) Where is a published listing of people who write viruses )> so that I may wish bad things toward them by name ? ) )There isn't such a listing available, but it is known who has written )(and published) the main Stealth Boot virus. His name is Mark Ludwig, )he owns American Eagle Publications, and his e-mail address is )0005847161@mcimail.com. Send him a message, explaining him how much )you appreciate his book that teaches people how to write viruses. Another useless and vituperative comment, and one with which I rather disagree. I believe that: people who believe that the knowledge they have to create whatever (atomic bombs, computer viruses, cryptological algorithms, etc.) is something _special_ that only they can figure out are EGOTISTICAL in the extreme the attempt to suppress knowledge by suppression of dissemination of information is not only doomed to failure, but actually causes MORE OF THE "BAD" PEOPLE TO KNOW IT and PREVENTS THE "GOOD" PEOPLE FROM DEFENDING THEMSELVES that much of the desire to write/modify viruses comes from the "mystique" associated with them, and that when everyone knows what a virus is and exactly how to write one then the virus "crisis" will pretty much fade away If Mark Ludwig actually published the source for a virus, and did not do so with the intent that others use it for illicit purposes, but rather to educate the public at large, then: I hereby publicly commend Mark Ludwig for publishing the source to the virus, and applaud his activities as being a part of the crusade to eradicate these pestilential programs. I intend to get a copy of his book as soon as possible. Mike - ---- char *p="char *p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);} ------------------------------ Date: Thu, 07 Jul 94 22:56:48 -0400 From: joenj1@aol.com (JoeNJ1) Subject: Re: NEEDED: Info on possible Windows virus. (PC) amarks@nella30.cc.monash.edu.au (Andy Marks) writes: Andy, You've probably gotten an answer to your question by now, but I would suggest that you consider a few things: First, I would suggest you try another virus scanner (I use F-PROT version 2.12c, with good results) to see if you can pick up a virus. Secondly, you mention that you have installed 4DOS on your system which makes me think that you have some type of conflict with Windows and the product. I've had problems with Windows for Workgroups and a screen saver that kept me from updating changes in File Manager until I disabled the screen saver... it had me going for awhile.... do you have any TSR's or utilities running that come with 4DOS? You might send a note or call the software company. Although there are a few Windows-specific viruses out there, they are relatively rare, to my knowledge. If you find out what the problem is, post a message, I'd be interested in the resolution. Good Luck! ------------------------------ Date: Fri, 08 Jul 94 08:58:49 -0400 From: stevet@fujitsu.com (Steve Tamanaha) Subject: Re: SMEG Junkie (PC) lev@slced1.Nswses.Navy.Mil (Lloyd E Vancil) writes: >A report in dod news this am ,Quoted below, speaks of >Smeg and Junkie spreading. I cannot find reference to >either in vsum. Can someone out there enlighten me please. (note to moderator: sorry about such a long message... but i think a lot of people might want to see this) These signatures are compatible with VIRUSCAN Version 11X and HTSCAN's mcafee.dat New Virus Alerts!!! The following viruses arrived too late to be placed into Version 116, however, enclosed are descriptions and external strings to detect them. To use the external strings, create a text file with one string per line and save it to something like VIRUS.TXT. Then run VIRUSCAN by typing: SCAN C: /EXT VIRUS.TXT You can replace "C:" with any drive letter or letters (each separated by a space). To check all local hard disk drives, replace "C:" with the "/ADL" switch. To check all network dsik drives, replace "C:" with the "/ADN" switch. NOTE: These strings are for VIRUSCAN Version 11X only, not the new Version 2.x series. Chill Touch Description: The Chill Touch virus is a memory-resident .COM file infector. When run, the virus installs itself in memory as a terminate-and-stay resident program and infects COMMAND.COM. Infection Method: Once in memory, the virus watches for the running, copying, and opening of .COM files and infects on these accesses, increasing the size of infected files by 544 bytes. Messages: The virus contains the message "Chill Touch . You can't touch these phantoms", however, the message is not visible within the virus code due to a simple XOR loop used to cipher the virus code. Detection: The virus can be detected by VIRUSCAN's /EXT switch with the following string: "C7 09 8B F7 AC 34 ? AA E2" Chill Touch Infected files can be deleted with the DOS DEL command or VIRUSCAN`s /D switch. VIRUSCAN's validation and recovery codes option will also detect and remove this virus. Other: We have received two reports of this virus from the United States and one report of the virus from Europe to date. - --- Junkie Description: The Junkie virus is a memory-resident multipartite (file and system area) infector. The virus infects .COM files greater than 4,096 bytes and the master boot record of hard disks. Infection Method: Once a virus-infected program is run, the virus installs itself in memory as a terminate-and-stay-resident program. On the system area of the hard disk, the virus copies two 512-byte sectors of code into the first track of the hard disk. The virus then modifies the existing master boot record of the hard disk to read the extra sectors and execute them upon boot-up. For files, the virus monitors the system for attempts to run and open them. When a file is run or opened, the virus checks it for a .COM extension on the file. The virus modifies the begining instructions of the file to point to the end of the file, and adds approximately 1,024 bytes of virus code to the end of the file. The next time the file is run, the virus code will then be executed before returning control to the host program. Messages: The virus contains the text "Dr White - Sweden 1994 Junkie Virus - Written in Malmo..._", however, this message is not visable within the virus code due to a simple XOR loop used to cipher the virus code. Detection: The Junkie virus can be detected by VIRUSCAN's /EXT switch with the following string: "26 81 34 ? ? 46 46 E2 F7" Junkie Virus Infected files can be deleted with the DOS DEL command or VIRUSCAN's /D switch. VIRUSCAN's validation and recovery codes option will also detect and remove this virus. Other: We have had one report of this virus on one PC from Stockholm, Sweden. While there have been multiple reports of this virus from the Great Lakes region of the United States, it appears that these are not reports OF the virus but reports ABOUT the virus from the U.S. distributor of a Scandanavian antivirus program. We have had no other infection reports of this virus from any of our 150+ offices in 50+ countries around the world. Aryeh Goretsky Manager, Technical Support End of Bulletin MCAFEE Technical - -jims@fsba.com ------------------------------ Date: Fri, 08 Jul 94 16:06:34 -0400 From: tyetiser@umbc.edu (Mr. Tarkan Yetiser) Subject: 'Junkie' virus info (PC) 'Junkie' Virus Information Copyright (c) 1994 VDS Advanced Research Group P.O. Box 9393, Baltimore, MD 21228, U.S.A. Note1: Permission to distribute the following information is granted to all parties without any restrictions as long as it is not altered. Note2: Please do not request live virus samples from us. Unless we know who you are, we cannot release such samples. Thank you. Description - ----------- Despite much hype in the media about the so-called 'Junkie' virus, it remains a relatively unsophisticated beast. It has no stealth capability, no polymorphic engine, no intentional damage routine, and no remarkable peculiarity at all. We hope to offer some simple explanation about this recent virus and satisfy the curiosity of the public. 'Junkie' is a new multi-partite virus, i.e. it infects the MBR on hard disks and BR on floppy diskettes as well as .COM-type program files. The virus does not relocate the original contents of the MBR/BR to another place on the disk. Instead, it overwrites a small section of the MBR/BR code to include its own loader. The loader then reads the rest of the virus from sectors 4 and 5 on head 0, track 0 of hard disks into memory. First time an infected program is run on a clean system, 'Junkie' tries to infect the MBR. It also issues a call to uninstall the VSAFE program that is included with certain anti-virus packages, namely MS-DOS(tm) 6.x and Central Point Antivirus(tm). It does not spread to files at this time. Upon booting the computer, the virus code is loaded by the fragment in the MBR. The base memory size is reduced by 3K, and interrupts 1Ch (timer), 13h (disk), and 21h (DOS services) are hooked. The virus is fully infectious at this point. If the user attempts to run a .COM program or copy one, the file is infected. The method used to open victim files is a little tricky. 'Junkie' opens the victim file for read-only access so that anti-virus monitoring programs do not complain. After that, it uses undocumented DOS calls to modify the open mode to read/write by directly manipulating the open file information DOS maintains internally. This is nothing new. 'Junkie' examines the sector read requests for access to the boot sector of any diskette in drive A:. If it discovers that the BR is being read, it tries to infect the disk if it is clean. The virus INT 21h handler monitors LOAD/EXEC, FILE OPEN, and EXTENDED FILE OPEN requests. If such a request is issued, the handler checks if the file is a .COM file, and if so, it infects it. The size of infected programs increases by about 1030 bytes. The main virus code is encrypted with a simple XOR loop. When an infected program is run, a small decryption routine is executed to get back the executable code in plaintext. A simple wildcard scan string is easily available. The following text message is present in the virus, though it is not visible in the files due to encryption: "Dr White - Sweden 1994" "Junkie Virus - Written in Malmo" The virus does not seem to contain any intentional damage routine. Detection _________ On infected system with 640K of base memory, the virus interrupt handler for INT 21h will be located at 9F40:0237 with the following sequence: 3d 00 4b cmp ax, 4b00 ; load/exec 74 12 jz 024e 80 fc 3d cmp ah, 3d ; open file 74 0d jz 024e 80 fc 6c cmp ah, 6c ; ext. open file 74 08 jz 024e 2e ff 2e 5a 03 jmp far cs:[035a] ; chain to old 21h handler You can check if the virus is present by using the DEBUG program as follows: 1. At the DOS prompt, type DEBUG and press Enter. 2. Once the DEBUG prompt, which is a - (dash), appears, type: -d 9f40:0237 3. Look at the sequence of bytes displayed. If they are: 3d 00 4b 74 12 80 fc 3d 74 0d 80 fc 6c 74 08 2e ff 2e 5a 03 then the virus is in memory. 4. To make sure, you can check another sign of the virus. Type: -d 9f40:0362 You should see the "Dr White - Sweden 1994" message. 5. To exit the DEBUG program, type: -q 6. You can further check the base memory size and see if there is a 3K discrepancy. Note that some systems report only 639K, and on such systems, the base memory size will be off by 4K. Removal - ------- For simple removal without an anti-virus program, take the following steps: 1. Turn the infected computer OFF. 2. Put a clean, write-protected DOS 5.0 or higher system diskette in drive A: and turn the computer ON. Earlier DOS versions won't do. 3. Once the A:> prompt appears, type: FDISK /MBR 4. This should get rid of the virus in the MBR and replace it with good code. 5. Remove all .COM files from the hard disk and replace them with clean backup copies. Note that this is not a practical thing to do. You should get an anti-virus program and determine which files are infected, and then replace them. If your anti-virus program supports an external signature file or user-defined signatures, you can add the following string to search for the 'Junkie' virus in program files: be ?? ?? b9 f4 01 26 81 34 ?? ?? 46 46 e2 f7 To scan the boot sectors or memory, use the following string: b8 02 02 bb 00 7e b9 04 00 ba 80 00 56 53 cd 13 e9 6. For bootable DOS diskettes, the DOS SYS command will be effective. For non-bootable diskettes, simply copy the files to another disk, and then format the diskette, and then copy the files back. Note that you must NOT DISKCOPY since that would transfer the virus to the new diskette. ------------------------------ Date: Sat, 09 Jul 94 00:30:19 -0400 From: "Jeffrey Rice - Pomona College, California." Subject: Re: Symantec (PC) >Making money, I guess. :-) Yep, now Symantec should "own" the >following anti-virus products: NAV, CPAV, MSAV, NOVI, Untouchable. >(And didn't Central Point buy XTree in the past? Then Symantec should >now also own XTree's anti-virus product.) > >Just speculating - what would happen with the millions of users of the >above products if, for some reasons, Symantec suddenly goes out of >business? :-( Yes, it doesn't look very probable, but then who would >think one year ago that Central Point is going to disappear? > >Regards, >Vesselin >- -- Well, is that really such a bad thing if it does happen? Those users would have to find new products, but hopefully they would find ones with better performances than NAV, MSAV, or CPAV. Not that this is a likely event, but I don't think that the loss of these programs would leave us defenseless by any means. Jeffrey Rice /-----------------------------------------------------------------------------\ | Jeffrey Rice | "The man who ...is not moved by concord of sweet | | Pomona College | sounds is fit for treasons, stratagems, and | | Claremont, California | spoils. Let no such man be trusted." -WS | \-----------------------------------------------------------------------------/ ------------------------------ Date: 09 Jul 94 17:41:35 -0400 From: x93christia1@wmich.edu Subject: Norton Antivirus 3.0 updates? (PC) Does anybody know what the newest update public domain for Norton Antivirus 3.0 is? It is the newest one I have, and I'd like to have the newest of the virus lists for it. The one I have is for like Feb, or late 93 I think.. which is 30A01... Are there any newer ones? Is there a newer version of Norton Antivirus? let me know via email preferably since I rarely read unews. reach me at: x93christia1@wmich.edu or 99chris2@lab.cc.wmich.edu thanks Darron |---------------------------| |x93christia1@wmich.edu | |99chris2@lab.cc.wmich.edu | |---------------------------| ------------------------------ Date: Mon, 11 Jul 94 11:28:37 -0400 From: kierstea@ait.nrl.navy.mil (David Kierstead) Subject: Second AV tool? (PC) I have been using F-Prot for some time, and am surely impressed by its speed and simplicity (and price (:-)). I assume it is also "working"--it has never found a virus, but then I've never had any reason to believe that it missed one either [loud knocking on wood]. Nonetheless, it seems wise to have another line of defense. I've seen lots of posts (and answers) about the "best" AV tools, how many (or few) each detects, and what percentage of what collection each detects. The question which I have not seen is: given that one is using F-Prot, what would be a good choice for his second (backup) AV tool? This would not necessarily be the second- best scanner. It would be the AV tool (perhaps even a mediocre one) which best fills the gaps in what F-Prot detects. This might not be a meaningful question, since the answer may change with each new release. But it might be that developers on a different continent would encounter some strains earlier. (I keep seeing references to strains which, at first, have only been detected in one or another geographic region). Or for any number of other reasons, one AV tool might tend to complement F-Prot. Any thoughts? - --David Kierstead (whose opinions aren't anyone's) ------------------------------ Date: Mon, 11 Jul 94 11:33:15 -0400 From: ruben@ralp.satlink.net (Ruben Arias) Subject: Best Anti-virus software (PC) ??? Thu 7, Jul 1994 bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) writes to ohe@allianse.no (ohe@allianse.no) > > > Were trying to figure out the best Anit-virus software for both > > Netware server's (NLM's) and DOS/Windows workstation. > > > We have been looking at Norton Antivirus v3.0, F-Prot, > > Norman Data Defences and Central Point. > > I don't have much experience with NLMs and Winoze-based anti-virus > products, but they are often worse than their DOS counterparts. > > However, I do have experience with the DOS versions of the above > products. My impressions are: > > 1) CPAV - total junk. Often crashes. Causes false positives. Very low > detection rate (impossible to measure, because it crashes on my virus > collection). Nice user interface, though > > 2) NAV - mostly useless. Better than CPAV, in the sense that it at > least works. Difficult to test, but not impossible. Very low virus > detection rate - something like 64%. > > 3) Norman Data Defense. Moderately useful. The user interface is > flexible enough both for novices and power users. The detection rate > is bearable, but nothing impressive - about 75%. Slightly worse than > McAfee's SCAN. > > 4) F-Prot. Excellent scanner - one of the best around. Very high > detection rate - about 96%. Very good disinfector. Yes it would be an excellent scanner, but (ever buts) sometimes miss identification of Boot (PART) Virus. Need to accurate this part of scanner. Another point of discussion is a very "personal" identification of some virus that have not relation between them. (Families ??) > > > If you mean "which is the best one of the above four scanners", then > this is definitely F-Prot. If you are interested in the products in > general (not only in the scanner parts), then the other products have > more features, but they are rather weak anyway, so it is difficult to > compare. However, if you are asking which is the best scanner of the > existing ones (not limiting yourself to the above four), then please > consider also the following ones: > > 1) AntiVirus Pro. Shareware, excellent scanner/disinfector Really ?? :-) > > 2) Dr. Solomon's Anti-Virus ToolKit. Commercial, excellent > scanner/disinfector, mediocre (no, bad) integrity checker, excellent > resident scanner. We think equal here. > > 3) TBAV. Shareware, excellent combination of different anti-virus > tools, although one can find better ones in other packages. The > scanner is excellent, the heuristic analyser too. Mediocre integrity > checker, the disinfector shouldn't be relied upon - it is more like an > experimental tool. The scanner is the fastest around. ^^^^^^^ | Thats true but reliability ? ------------` > > 5) Integrity Master. Shareware, good enough integrity checker, if you > can't find Untouchable. >The scanner is also good enough - slightly better than McAfee's SCAN. ^^^^^^^^ ?????? No, no, no. You miss the point here. Do you read LAT 9311 ??? Please Mr Lambdin do your test more frequently! :-) Very Kind Regards Ruben Arias - ------------------------------------------------------------------------------ Ruben Mario Arias |> /| | |> |\ | | |_ | E-mail: ruben@ralp.satlink.net Buenos Aires, ARGENTINA. - ------------------------------------------------------------------------------ ------------------------------ Date: Mon, 11 Jul 94 14:03:38 -0400 From: ab950@freenet.carleton.ca (Linden Mason) Subject: Graphcnv.exe False Alarm? (PC) A heuristic scan of my hard drive with F-Prot 2.12c found "suspicious code" in the WordPerfect file Graphcnv.exe. I seem to remember that this is a known false alarm, but I have deleted the doc file regarding this. Please advise. - -Linden - -- ------------------------------ Date: Tue, 12 Jul 94 11:25:18 -0400 From: scottk@jolt.mpx.com.au (Scott Keegan) Subject: Current scanners (PC) We are looking to purchase a new scanner to run on our networked PC's. We currently run CPAV but feel that it is too far behind in updates. What we are looking for is a package that provides a good interface for users, as well as a TSR checker that will scan all A drive activity. Any recommendations will be most welcome, including any justifications you think valid for your choice. Thanks in advance, Scott Keegan. ------------------------------ Date: Tue, 12 Jul 94 11:28:06 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: Re: Athens virus: info needed (PC) ebottoni@cat.cce.usp.br (Eduardo Benedicto Ottoni) writes: >I'm looking for some info on the Athens virus (effects, effective cleaning >programs etc), which has appeared in many machines in our campus. Any >information is welcome. This is not a single virus, but a family of at least two different viruses, also known as Trojector...which is the name F-PROT currently uses. It recognizes (and disinfects) two variants - 1463 and 1561 bytes long. - -frisk Fridrik Skulason Frisk Software International phone: +354-1-617273 Author of F-PROT E-mail: frisk@complex.is fax: +354-1-617274 ------------------------------ Date: Tue, 12 Jul 94 11:27:29 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: Re: Norman Virus Control (PC) sguffey@pafosu1.hq.af.mil (Guffey, Steven W.) writes: >They claim to be able to detect 99%+ viruses. Has anyone been able to test >this claim? 99%+ of the viruses in their own collection, maybe....99%+ of all viruses... well, it is very hard to justify a claim like that....they certainly don't even have copies of 99%+ of all the viruses that exist....nobody does. >Is the virus database (V-base) accurate? (Or at least more accurate than VSUM) It is more accurate....I mean, it is quite difficult to be less accurate...but it is not perfect. - -frisk ------------------------------ Date: Tue, 12 Jul 94 11:26:36 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: Re: First Posting - First Virus heeeellllp (PC) ehill@world.std.com (ed hill) writes: >hello >last week i started getting "invalid command.com" messages when returning >to dos from 3ds or Windows. within hours of the first messages i started >seeing scrambled characters upon running "dir" or using file mgr. this >was of course happening to the most oft accessed directories. i'm coming >to the end of a large project and the damage is considerable. >recent backups are, i think also infected. "infected" ? Well....why do you think this is a virus ? I can think of a much moke likely possibility .... a program writing rubbish to random areas of memory is one of them. this does not look like a typical virus problem to me....although it is of course possible. - -frisk ------------------------------ Date: Tue, 12 Jul 94 11:26:52 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: Re: Re| VIRSTOP 2.12 Freezes PC (PC) kazatski@kartaly.chel.su (Kazatski Oleg Nikolaevitch) writes: > the /Notrace also fixes a few other incompatibility problems - it makes > Virstop work on old Cyrix 486SLCs (which are not 100% Intel compatible) ^^^^ > Why ? because old Cyrix 486SLCs do not single-step correctly....for example try single-stepping through a series of STI instructions...you will notice that it only stops on every other one. - -frisk ------------------------------ Date: Tue, 12 Jul 94 11:27:02 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: Re: To all who replied about "where is F-PROT?"... (PC) rniess@whale.st.usm.edu (Rick Niess) writes: >Hi All > To all who replied to my request for f-prot's location, a >heart-fi lled thanx goes out to you. So far I've gotten 43 replies >from that same po st. They all said pretty much the same thing, that >I could find it at oak.oakland.edu. But there was one that was >different. Here it is: >RN> Nice to see, someone is using F-Prot. You can get newest >RN> versions, as >RN> soon, as they're released by frisk from his own ftp - complex.is Well, I generally advise against downloading from complex.is .... in particular if you are located in the US. The reason ? Well, Iceland's only link to the rest of the world is a single 128K line to Europe ...there is no direct link to the US ... so FTP to/from here can be quite slow. any of the following site may be a better choice oak.oakland.edu 141.210.10.117 wuarchive.wustl.edu 128.252.135.4 archive.orst.edu 128.193.2.13 ftp.uu.net 192.48.96.9 ftp.funet.fi 128.214.6.100 src.doc.ic.ac.uk 146.169.2.1 ftp.switch.ch 130.59.1.40 archie.au 139.130.4.6 NCTUCCCA.edu.tw 140.111.1.10 ftp.technion.ac.il 132.68.1.10 In addition, it is also found on: garbo.uwasa.fi 128.214.87.1 ftp.demon.co.uk 158.152.1.68 atlantis.utmb.edu 129.109.12.7 - -frisk Fridrik Skulason Frisk Software International phone: +354-1-617273 Author of F-PROT E-mail: frisk@complex.is fax: +354-1-617274 ------------------------------ Date: Tue, 12 Jul 94 11:24:54 -0400 From: Chip Seymour Subject: VIRSTOP with /NOTRACE (PC) For what it's worth -- The "/NOTRACE" option in VIRSTOP appears to cure the 'Wedged PC' problem that occurs in Windows for Workgroups v3.1. WfW v3.1 must do cruel and unusual things to memory management. WfW v3.11 behaves itself. chippa ------------------------------ Date: Tue, 12 Jul 94 11:26:22 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: Re: _HELP ! (PC) kazatski@kartaly.chel.su (Kazatski Oleg Nikolaevitch) writes: > This is (may be) the virus "Drug-959/987". Infected EXE and COM files, >resident. The length of COM files increased on 959 bytes, EXE - 987 bytes. >Antivirus programm - AIDSTEST, Lozinsky (Russia). This is the virus that was originally reported as "Joe's Demise", but is now named Requires.959 ... It is "in the wild", so yes...it could indeed be the virus the original poster asked about. - -frisk Fridrik Skulason Frisk Software International phone: +354-1-617273 Author of F-PROT E-mail: frisk@complex.is fax: +354-1-617274 ------------------------------ Date: Tue, 12 Jul 94 11:25:52 -0400 From: pnd2@ukc.ac.uk Subject: Search for ftp site (PC) Hi there n-surfers was just wondering if there is a site available for scanners from Dr.Solomons' ... Cheers Prem D. - -- Premkumar N. Devadason e-mail : pnd2@ukc.ac.uk Dept. Of Comp. Science Res. Ph : +44-227-763847 ,__o University of Kent _-_>/_, at Canterbury.(U.K.). (*)/'(*) ------------------------------ Date: Fri, 08 Jul 94 06:35:12 -0400 From: bondt@dutiws.TWI.TUDelft.NL (Piet de Bondt) Subject: tbav621/tbavx621 - Thunderbyte anti-virus v6.21 (complete/optimized) (PC) I have uploaded to the SimTel Software Repository (available by anonymous ftp from the primary mirror site OAK.Oakland.Edu and its mirrors): SimTel/msdos/virus/ tbav621.zip Thunderbyte anti-virus pgm (complete) v6.21 tbavx621.zip TBAV anti-virus - processor optimized versions Replaces: SimTel/msdos/virus/ tbav620.zip and older tbavu620.zip and older tbavu620.zip and older The Thunderbyte Anti-Virus utilities are ShareWare. There are four security modules (TbScan, TbScanX, TbClean, TbMon) included. These modules are programmed in assembler and therefor very fast! TbScan is a signature, heuristic and CRC scanner. It detects known, unknown and future viruses. TbScanX is the resident version of TbScan. TbClean is the first heuristic cleaner in the world. Even an infected file with an unknown virus can be cleaned. TbMon consists of three resident programs (TbMem, TbFile, TbDisk) which monitors your system against unknown viruses. From version 6.09 a Windows interface is included. TBAV is uploaded by it's authors to anon-ftp site ftp.twi.tudelft.nl in dir /pub/msdos/virus/tbav) and from there distributed to SimTel, garbo.uwasa.fi and nic.funet.fi and from there to their mirror-sites. NEW: This is another major update, so no tbavu621.zip file is available. Also: in a few days, the tbavw621.zip (complete Windows version) will be released ... Piet de Bondt E-mail: bondt@dutiws.twi.tudelft.nl ========================================================================== FTP-Admin for MSDOS Anti-virus software at: ftp.twi.tudelft.nl ------------------------------ End of VIRUS-L Digest [Volume 7 Issue 57] *****************************************