VIRUS-L Digest Wednesday, 10 Aug 1994 Volume 7 : Issue 65 Today's Topics: Re: Bad and good viruses... Re: A new m naming scheme for settling the good virus issue Info Re: Ignorance Questions for anti-virus community Re: Viruses = Commercial Opportunity? Virus Life? Re: Good Viruses Anonymous FTP Site Distributing Viruses? Good Viruses A new m naming scheme for settling the good virus issue Mutating viruses? Virus Scanners, Detectors, etc. Re: Rosenthal Virus Simulator VIRSIM2C.ZIP (PC) Re: Rosenthal Virus Simulator (PC) Carmel Anti-Virus (PC) HELP: Wrinting DOS utility (PC) re: Form Virus Mutation! Netware problem? (PC) Re: junkie vir and freinds (PC) Re: Junkie virus (PC) Eli Shapira's AV products (was: MtE Virus info wanted) (PC) Anyone reviewed McAfee's ROMShield? (PC) Re: Form Virus Mutation! Netware problem? (PC) Re: THUNDERBYTE AV 621 (PC) F-Prot 2.13 on Boot Disk (PC) Re: Dr. Solomon's on the move! (PC) Re: Seeking information on Anti.CMOS virus ... (PC) Re: AntiExe virus, Help!! (PC) Re: vbait12.zip - Simple virus bait, detects COM infecting virus (PC) Re: VIRUSCAN 2.x gripes & grumbles (PC) Re: THUNDERBYTE AV 621 (PC) Re: THUNDERBYTE AV 621 (PC) Virus Found, Please help (PC) Stealth C Virus (PC) Re: VIRUSCAN 2.x gripes & grumbles (PC) Server downing virii - Netware corruption? (PC) Re: AntiExe virus, Help!! (PC) MtE Virus info wanted (PC) Re: VIRUSCAN 2.x gripes & grumbles (PC) How to remove FORM from PC bootsector? (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CERT.org or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CERT.org (192.88.209.5). Administrative mail (e.g., comments, suggestions, beer recipes) should be sent to me at: krvw@ASSIST.IMS.DISA.MIL. All submissions should be sent to: VIRUS-L@Lehigh.edu. Ken van Wyk ---------------------------------------------------------------------- Date: Fri, 05 Aug 94 11:23:48 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Bad and good viruses... Bradley (bradleym@netcom.com) writes: > > [about the so-called KOH virus] > So called? You yourself named it as Stealth_Boot.D, the standard CARO > virus name. Yes, this is the standard name for this virus, not "KOH", that's why I used the expression "so-called". > > > It's a virus that does what I said. It includes an uninstall option for > > > the hard drive. > > How about the floppies? > Well... I'm sure you know how it work and what it can and can't do. But > no, it doesn't remove itself from floppies. But, as it says in the > docs, KOH infection can be turned off. So then the floppies would not > be infected. Don't shift the subject! So, it does not provide an easy mechanism to remove itself from the infected floppies. And you dare to call this nastie "benign" or even "useful" virus?! What if some bozo has it installed on their machine *without* turning off the floppy infection, and I give them a file on a floppy? When they access the floppy to get the file, the virus will infect *my* floppy. And *I* will have no easy ways to remove it. It has caused unauthosized modification of a computer medium that I own. In several countries, including your own, this is a crime. Therefore, the virus has made a criminal of the person who has decided to install it. Besides, since recently another bozo posted this same virus to a newsgroup, I had to look more carefully at it. I have stated several times that there is ABSOLUTELY NO NEED to implement the function that this program performs in a virus. In fact, the crypto functions in the virus are pretty clearly separated from the viral code, which means that the author (Mark Ludwig) has just patched some existing crypto routines to an existing virus (Stealth_Boot.A, also written by him). Then, one could ask, why the heck attaching those routines to a virus?! There are plenty of stand-alone programs that perform exactly the same task. They even perform it much better, because adding viral capabilities to the code makes it only more unreliable and more likely to trash your data, without any particular gain! Therefore, I conclude that the only reason for KOH to be written and released is to condone the actions of the virus writers - something that doesn't surprise me at all from the part of Mark Ludwig. He is known to have done several other unethical things. > > First, the person who has written the preambule for KOH.README > > certainly needs a spelling checker - two errors in a three-line > > message is definitely too much. > So now you're resorting to debasing my spelling? I didn't have any > spelling errors in my "preambule". I did change the file names, and not > modify the readme to reflect it, but that's not a typo. Also, it's > about 8 lines, not 3. I did not know that it is *you* who wrote it, because he calls himself "Aleph One" there. I meant the following text: =>Ok. This is the encryption virus all have waited for from Mr. Mark =>Ludwick,. The one he debuted at Def Con I. I been beta testing for him, and =>this is the release version. Enjoy. It *is* a three-line message. Consider the second line: =>Ludwick,. The one he debuted at Def Con I. I been beta testing for him, and ^^^^^^^ ^^^^^^^^^^^^^^^^^^^^^^^^^^^ His name is "Ludwig". Should be "I have been beta testing". I know that my own English is far from perfect, but I am Bulgarian. For an American to be unable to write correctly in his own language - it's a real shame. > That was a big second point, I'll answer in parts. First, Netcom is not > responsible for what I do. Maybe they will think differently in the light of some recent court rulings against a BBS in California that used to distribute material which was illegal in *another* state... > And Netcom isn't a provider in "several > countries", it's a provider in America. The national borders are only speedbumps on the information highway. The viruses that Netcom distributes from the accounts of their users are causing damage in the whole world. > You want to tell the press? I don't care, what can they do to me? I OK, I'll give it a try. I still am not convinced that the public oppinion is completely devoted of common sense. > are also files that I find interesting. There are books that describe > killing and other illegal activities, are you going to call the > press on them too? Those books cannot kill people. As opposed to that, the viruses on your account can infect computers. > Complain to them first. BTW, I think ITAR is irrational also. I agree, but I wouldn't want to have to convince a judge that it is indeed so. > these words are in debate currently. But, in this case you have already > declared it a virus, that leaves the good part. I think it might be > clearer on my part to say that it has the capability for usefullness, > while having a limited capability for harm. I'd quote what the dictionary The fact that you can use something in some cases for useful porposes does not make this something good. The *only* difference between this virus and a disk encryption capability is its viral capabilities. And its viral capabilities are exactly what make it inferior, when compared to the other disk encryption utiltites. Therefore, the virus is an excellent example of how adding viral capabilities to a useful program makes it worse. > But there are many programs that can cause damage in the some > enviroments, I'm sure you can think of more than a few. But all those programs do not spread by themselves, as it has been pointed out multiple times to several of the defenders of the virus writers here... Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Fri, 05 Aug 94 11:29:30 -0400 From: bediger@teal.csn.org (Bruce Ediger) Subject: Re: A new m naming scheme for settling the good virus issue MANAL@delphi.com wrote: >How about this one: > > Live program := a program that reproduces > Virus := a bad live program > bad := defined according to the morals and ethics of the individual Deeply flawed. "Reproduces" is not defined. The combination of "Virus" and "Bad" definitions doesn't provide a way to make a falsifiable hypothesis about an arbitrary program. Therefore, the set of definitions given have no use as a reproducible, scientific test of whether some program is a virus or not. Sincerely, Bruce Ediger ------------------------------ Date: Fri, 05 Aug 94 14:20:20 -0400 From: stanr@mdhost.cse.TEK.COM (Stanley E Ridenour) Subject: Info I have been following this forum for years. However, the information I would like to have at my finger tips, I have yet to come across. I would like to see statistics on the incidence of viral attacks by type and geographical location, as well as trends on the spread of each type. Does such a clearinghouse exist? Stan ------------------------------ Date: 05 Aug 94 14:27:00 -0500 From: jerry@hnrc.tufts.edu (Jerry Dallal) Subject: Re: Ignorance a_rubin%%dsg4.dse.beckman.com@biivax.dp.beckman.com writes: > bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) writes: > >>Hello everybody, > >>> What does one do, in principle, when: > >>> One does not want to shell out $395 for an obsolete Word Perfect 5.1 >>> that one's wife's work requires files to be formatted in; > >>> One has one's wife use the default "word processor" that comes with >>> Windows (Write), then uses the Software Bridge to translate it to WP format; > >>> Wife's work runs virus checker (and are naive to the point of not >>> knowing which one), and gets a positive on a translated file; > >>> What would you have them do? I agree with the company. It's hard enough getting people to check for viruses. I don't like introducing the idea of ignoring positives when they can be avoided by using the required software. On the surface, it would seem that *the company* ought to spend the money for the additional copy of WP5.1. I don't think it will cost $395, though. Me? I'd look for another translator or disinfect the file myself before turning it in. ------------------------------ Date: Fri, 05 Aug 94 23:15:20 -0400 From: cvhender@csn.org (Chris Henderson) Subject: Questions for anti-virus community Well it seems as if this group is directly plugged into the av authors of the world.. I would like to take just a minute to say I am gratefull for stumbling on such a news group, and there seems to be some fine work done in this field. However, would like to ask a few questions about viruses, wont get techy though.. Is there a finite number of viruses as yet to guessed at for each of the systems: os/2 windows unix dos ect...? Where seem to be the most viruses being made, {geographical} and field.. {BBS Lan r&d} Does a dos based BBS have any concerns if using "THDPRO9.01 w/ tbav, scan117, f-prot213a. Does a dos based BBS have any concerns of being online 24h/7d a week towards viruses.. I also run full system b.u.'s a week, not much activity, but want to start porting rfc822 messages and fidonet {fts-1?} in on a daily basis. Should I be scanning the mail packages? Anyone with any insight on this I would be very greatfull too. And would also pass it on to other sysop's in the nets I belong too. Thanks.. Christopher Henderson ------------------------------ Date: Sat, 06 Aug 94 01:24:36 -0400 From: datadec@corsa.ucr.edu (Kevin Marcus) Subject: Re: Viruses = Commercial Opportunity? >> While it might take and one for a *person* to analyse a virus, it is >> quite possible to: >> >> 1) Use already existing information to your advantage. >> There is a lot of information on the net, even some useful info in >> VSUM that could be used to make this speed up. > >No, the kind of information you are talking about might help in writing >a primitive brute force scanner, but these have not been up to the job >for a couple of years now. Consulting VSUM will actually hurt you. You >have to do your own research. As for information on the net regarding viruses -- Most of it is vague enough to only allow generaal concepts explored by viruses. This allows people to "do their own research" and can help influence exactly how their product would be devloped -- keeping them away, for example, from a brute force scanner. VSUM can provide some useful information if you care to help inform your users about what a particular family or viruses have in common, for example. While I don't mean to say that VSUM even is accurate with family descriptions, for many it is. Obviously to develop a scanner, a copy of the virus must be around to analyze, and it can help point you in the right directions if you use vague descriptions. For example, the text, "PATH=" in the Vienna viruses could suggest something in the virus might look at the PATH set in your environment to infect more files. This is true for all the Vienna varients I have seen. >> 2) Even for one person, I've always found it useful/helpful to have >> more than one computer. More than one hard drive might be kinda useful >> if you have only one computer. This allows you to have systems with >> different versions of dos -- many viruses might only work with dos 3.3, >> or 5.0 or... > >The anti-virus researchers I know have lots and lots of computers, even >networks, set up for the various virus research tasks. I have five >myself, just for fiddling around. The problem is not equipment, but >personnel who can do the job. I agree that it is difficult to find people who can work with viruses that are worthy of trust, as well as competent enough to analyze them without making a big mess. However, most people with a backgroun in ASM could probably be trained in how viruses work, as well as things to look for in a relatively short time. Your ideas of "virus research" aren't clear to me, could you expand on what you consider virus research? (i.e. does that mean "how to find and remove a virus", or "predicting current trends in virus development", or what?) >> 3) Do you really need to detect 4500 viruses to be a useful product? >> There are many other products which don't detect nearly that many >> which still sell *quite* well. > >The original query postulated 100 percent detection. All the answers >said it was not possible, especially for a start-up product. If you >want to talk about a lower detection rate, then you have to remember >that the product will be competing with many other products that do >detect nearly 100 percent. > >If you want to sell a product with inferior detection, you will need a >very pretty user interface and a terrific marketing department. There >are existing products which have these, too. I agree that detection is an important aspect of an anti-virus product. What I disagree with (apparently with a lot of people :( ) is that you detection is always 1st priority. Viruses are a somewhat technical issue, and most people don't have the time in order to learn how they work. If someone gets infected, they just want to get rid of the thing and continue along with thier work. They want people to talk to when they get a virus. For example, I don't really know how the innerds of my car work, but when it breaks on me, I sure as hell want it fixed right away! Now, if you plan on going on to talk about how the virus might not be found in the first place, so the person wouldn't know what was wrong, I have two points: 1) When your car breaks, do you know what is wrong with it immediately? Maybe sometimes. A flat tire, for example, just as a virus printing a stupid message like, "I am a virus", or something else which suggests there might be something afoot... 2) Most anti-virus products of any quality have a decent integrity checking system. This way, when something not currently identified exactly is found, someone could be contacted to find out what IS wrong, if the problem can't be immediately fixed by some kind of data that might be stored away. >I once turned out an add-on driver for a new virus in an hour and a >half, from receiving the virus sample on our BBS to FAXing the driver to >the affected premises in another country. This is for a product which Which virus is this? >What you are saying above is that you would delay any work on a newly >arrived virus sample until you were sure that it had been released in >the wild. Also, you would not handle known viruses that had been around >a long time until you heard that they had appeared in the wild. This >will put you behind, not ahead, of the competition. THe idea was supposed to be twofold: First, detect viruses in the wild, then worry about others -- so priororitizing, which you acknowledged. If there isn't anythign to do, obviously virus signatures should not halt, just move on to viruses which are not yet in the wild. >> Plus, you'd benefit from smaller size, faster scans, and >> a higher repair rate (since you could concentrate on repairs for >> some of the nastily encrypted polymorphic viruses) > >You make it sound easy. To me that says that you have never tried doing >it. Repair is one of the most difficult things to do. Nonetheless, the >anti-virus products that are the best at repair are also have the >highest detection rates. Limiting competence in one area does not >magically give you extra competence in another. It requires work, but I don't see what makes it more difficult than writing a compiler, and OS, a spreadsheet, or any other major application. I strongly disagree that repair is one of the most difficult things to do. Repair is actually quite trivial a concept for most products that are capable of storing away soem data on each file on the drive, and it still is not a very difficult thing to do when it comes to repairing files that you don't have any kind of data on. No, I would say that detection is much more difficult to do because you must not get false ID's. Once you have an accurate identification, a repair is often quite simple, even for polymorphic and encrypted viruses, within reason. It is quite simple to repair mostly any boot sector/master boot sector virus generically, if you can't repair it otherwise (which should be preferred since you wouldn't want to destroy some kind of boot manager, for example.) >> 5) How much can the process be automated? With Linux becoming more >> popular on PC's, how much can DOSEMU benefit someone working with >> viruses? I'll just leave this one open for your thoughts... :) > >As a research tool, someone is probably already using it if it is any >good. Others are using other things that they prefer. You don't have >to suggest tools for these people, they know about tools. Could you please extrapolate on this? I am currently interpreting this as equivalent to, "you don't need to suggest any tools to researchers because they already know about them." Is this what you are trying to say, or are you trying to say, "you don't need to tell anyone about tools because they already know about them." Or are you trying to say something else? This seems a pretty closed minded statement, which is why I am asking before I go off on it. >> >Do you see now why this is not for newcomers? Only a company with a >> >lot of experience and an already established product in the field will >> >be able to keep up with the game. >> >> Maybe a lot of experience in ASM programming, but probably not a whole >> bunch more. > >Don't kid yourself. AV products have to have Windows and Novell NLM >versions to succeed now, in addition to DOS foreground and DOS TSR. At >least one (Dr. Solomon's) has an OS/2 version. You have to be able to >program on a lot of platforms, as well as understand esoteric assembler >to do the virus research. This means a team of capable people. Indeed capable people!! Esoteric assembler? I think not. Grab any person who has been doing embedded systems programming for a year or more, and with proper training, I think they would be quite capable. As for Windows, Novell NLM, DOS TSR's, etc, These can all rely on the same engine, which is the most difficult part. Once the basic scanning engine has been built, the rest is much simpler -- there are many people who are capable of programming in the aforementioned environments, but fewer with the knowledge of how to build a quality scanner. >> >That hasn't been very wise from your part, because Flu-Shot wouldn't >> >protect you from a boot sector virus like Michelangelo, and NAV is one >> >of the worse anti-virus products around. >> >> Yeah, just because it has a smaller detection than, say, McAfee's SCAN, >> let's say, it must be amongst the worst, eh? At least there couldn't >> possibly be any other factors that go into an AV product's reviews, eh? > >Why would you choose a product that detected fewer viruses (including in >the wild viruses as it happens) rather than one that detected more? Why >would you expect a review of anti-virus software to ignore the relative >detection rates? There are other factors, and they are covered in every >review I have ever seen, but the main functionality of the product *has* >to be important. I might choose a product that detected more viruses than another because of 1) Ease of use/interface 2) Support 3) Size of company behind it. 4) Tests of my own. (Remember, this is an "I might choose...") 5) Reputation Those are some reasons why I might choose a product which detected fewer viruses than another. One other factor that is never covered in a magazine is a *real world* occurance and use. That is because that is the whole point of doing a review. With that in mind, give it what it is worth. For example, I read reviews about how crappy movies are, all of the time. I find that I often enjoy them. And, it seems that other people enjoy them often as well. Of course, this is distributed amongst the, "review said it was good, but it wasn't, review said it was good, and it was," etc. - -- --=> Kevin Marcus: datadec@ucrengr.ucr.edu, tck@bend.ucsd.edu "ciafn syoo,u yroeua da rteh icso?o l ." <- Email for solution. Computer Science Dept., University of California, Riverside. .oOo.oOo. T H I E V E S S U C K .oOo.oOo. ------------------------------ Date: Sat, 06 Aug 94 14:18:23 -0400 From: shornik@shadow.net (Steve Hornik) Subject: Virus Life? I just read an article in The Miami Herald which reports Steven Hawking saying that "I think computer viruses should count as life". He goes on to say that "A living being usually has two elements, First, an internal set of instructions that tell it how to sustain and reproduce itself. Second, a mechanism to carry out the instructions". These comments were made at the Macworld Expo in boston, was anyone there? Does anyone know of where this issues is being discussed on the net? Steven Hornik - -- Steven Hornik horniks@servax.fiu.edu ------------------------------ Date: Sat, 06 Aug 94 14:57:37 -0400 From: smidt@cd.chalmers.se (Peter Smidt) Subject: Re: Good Viruses Padgett 0sirius wrote: >"AMERICAN EAGLE PUBLICATION INC." <0005847161@mcimail.com> writes: >>I would like to ask a question to some of the people who seem ready to attack >>any and everyone who suggests a good virus is possible: What criteria would you >>propose to qualify a virus as "good"? > >Sure: describe something that someone might want/need to do and which >can only be done by self-propagating parasitic code (virus). > >Thusfar I have not been able to come up with anything that satisfies this >criteria. KOH is often mentioned but what does it do that STACKER (tm) >doesn't ? Online LAN updates are mentioned, but I came up with the notion >independantly (cannot say if first) and have never needed a virus to >accomplish this. A good virus is dead virus... Some even say that DOS is the biggest virus ever written. /Maaniker - -- +=======================================+ "The whole valley is like a smorgasbord." -- TREMORS ------------------------------ Date: Sat, 06 Aug 94 21:56:19 -0400 From: Iolo Davidson Subject: Anonymous FTP Site Distributing Viruses? iandoug@cybernet.za "Ian Douglas" writes: > Iolo Davidson (iolo@mist.demon.co.uk) wrote: > [re closing down vX sites] > > > I have come to believe that this is (a) futile and (b) > > counterproductive. > > > The only way to > > destroy the market is to allow free distribution of viruses. > > Not sure I follow this.. I have seen the results of people getting > access to things like VCL - where some twit uploads two variants of > his creation to about 5 BBS's withing half an hour... > > If we consider the many variants of Vienna, Burger, Stoned, > Jerusalem, etc, all of which have had their source code widely spread, > it appears that spreading code only makes the problems worse. > Or am I missing some insight that you have? My insight is that the things you mention have happened *despite* efforts to restrict the availability of viruses. It didn't work with alcohol, it isn't working with drugs, it will not work with viruses. I am not in favour of viruses being distributed, but prohibition does not work. Think of something more effective. - -- WITHIN THIS VALE YOUR HEAD GROWS BALD OF TOIL BUT NOT YOUR CHIN AND SIN Burma Shave ------------------------------ Date: Sat, 06 Aug 94 21:56:27 -0400 From: Iolo Davidson Subject: Good Viruses padgett@141.240.2.145 "Padgett 0sirius" writes: > KOH is often mentioned but what does it do that STACKER (tm) > doesn't ? The point is valid but I think you meant to compare Cruncher virus with Stacker, or KOH with something like SecureDrive or SecureDevice. - -- WITHIN THIS VALE YOUR HEAD GROWS BALD OF TOIL BUT NOT YOUR CHIN AND SIN Burma Shave ------------------------------ Date: Sat, 06 Aug 94 21:56:44 -0400 From: Iolo Davidson Subject: A new m naming scheme for settling the good virus issue MANAL@delphi.com writes: > How about this one: > > Live program := a program that reproduces > Virus := a bad live program > bad := defined according to the morals and ethics of the individual Leaving us with the moral: The only good program is a dead program. - -- WITHIN THIS VALE YOUR HEAD GROWS BALD OF TOIL BUT NOT YOUR CHIN AND SIN Burma Shave ------------------------------ Date: Sun, 07 Aug 94 08:09:02 +0000 From: c0900238@techst02.technion.ac.il (Dimerman Dan ) Subject: Mutating viruses? Hi! In some antiviruses I noted that under the comment about certain virus, goes something about a "mutation" of some original virus. Besides of the human touch to some part of the virus code, can it be that taking in account the exponential rate of propagation and some kind of "noise" in the process of propagation, be analogous to the biological viruses propagation and mutation processes? Set aside the complexity of the latter against the former... I mean, if not now perhaps in the future, can a piece of self-replicating code be changed in a way that in some cases it's still runnable? Thanks for your time... Dan. ------------------------------ Date: Sun, 07 Aug 94 21:08:32 -0400 From: toloo@eleceng.ee.queensu.ca (Mansour Toloo Shams) Subject: Virus Scanners, Detectors, etc. Hello: What are the "best" Virus Scanners. In particular, where can I get the latest version of the F-PROT? Best Regards Mansour ------------------------------ Date: Fri, 05 Aug 94 09:53:24 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Rosenthal Virus Simulator VIRSIM2C.ZIP (PC) Doren Rosenthal (as194@cleveland.Freenet.Edu) writes: > Thank you for your very positive comment about my Virus Simulator > on Virus-L. His "very positive comment" idicates only that you have succeeded to fool him to believe that your Virus Simulator is useful, which it isn't, as I have explained several times already. > Your useful application of my Virus Simulator for > training and demonstrations is exactly its intended purpose and I > appreciate your sharing that publicly. I strongly suspect that the intent to fool the people that your program is of any use and therefore to buy it has been exactly your intended purpose. > The current shareware version of Virus Simulator is VIRSIM2C.ZIP > and is available from most BBS's, ftp sites and ASP vendors. > Registered users now receive three additional supplements > described in the documentation. . such as viruses. I will *really* appreciate if you stop promoting your viruses here. It contradicts the charter of this forum. Go brag about them on your favorite virus exchange BBS. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Fri, 05 Aug 94 09:57:55 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Rosenthal Virus Simulator (PC) Doren Rosenthal (as194@cleveland.Freenet.Edu) writes: > >IMHO, there is no such thing as a benign virus - if it replicates, it > >has to either create files (companion) or mess with existing files, > >BS, or FATs. When it does so, it ceases to be 'harmless' and starts > >causing damage. > > Not necessarily as the Virus Simulator MtE supplement first > supplies its own host sample files to infect. At first only two > samples are infected with a virus based on an actual Dark Avenger > mutation engine that has been made safe and benign. Rubbish. This is a LIE! The "actual Dark Avenger mutation engine" has _*NOT*_ "been made safe and benign" at all, BECAUSE IT HAS NOT BEEN MODIFIED IN ANY WAY! I have a copy of your viruses and have checked. As the original poster wrote, THERE IS NO SUCH THING AS A BENIGN VIRUS. Benign *real* virus that is. The two MtE-based viruses that you are selling are real viruses - unlike the junk that gets generated by your so-called "virus simulator". > When the (clearly marked) infected test samples are executed, > they announce their intention and if given the users permission, > will intern infect (only) the other host files supplied on the > floppy disk. It takes only a couple of minutes to any hacker worth his salt to load your "clearly marked" virus with DEBUG and change a couple of bytes, thus removing both the "announce of their intention" and the code that asks for "user permission", as well as the part that "infects only the other host files supplied on the floppy disk". > The Virus Simulator MtE supplement virus therefore > has both the permission of the user, and the consent of the > copyright holder (me) of the host files it modifies. The Virus Simulator MtE supplement virus therefore provides a convenient means to any malicious person to get his very own highly polymorphic virus, without having to spend the time to write one. As such, your product is *harmful* and you are a shame of the Association of Shareware Professionals that you claim to be a member of. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Fri, 05 Aug 94 10:08:13 -0400 From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) Subject: Carmel Anti-Virus (PC) From: elis@teleport.com (Eli Shapira) >Mr. Radai - you never had anything good to say about CPAV or MSAV, fortunatly >for Central Point - Million of users disagree with you. Am reminded of the saying "Ten million lemmings can't be wrong". IMHO as an anti-virus product CPAV/MSAV (at least the versions I've seen) is better at identification of viruses than Windows in 32BitDiskAccessMode but not as good at detection. Also have trouble taking seriously a product that contains strings such as "Eli and Yuval have killed the Lehigh virus !!!" (from menory so order of names might have been off but not the "!!!". Will certainly go along with the fact that Mr. Shapira has made far more money from the Carmel product than I have from DiskSecure, but then DSII is FreeWare. AFAIAC viruses are an annoyance to be eliminated so that I can get back to productive work (like Teapots). Warmly, Padgett Who cares about the lawyers, I own a Judge 8*) ------------------------------ Date: Fri, 05 Aug 94 10:47:56 -0400 From: David.Thomson@newcastle.ac.uk (David Thomson) Subject: HELP: Wrinting DOS utility (PC) NO I'm *NOT* trying to write a virus. Its actually for a *very* low cost fully programmable dongle I've designed Basically I'm tring to write a small utility that will read in an exe and add some functions to it so that when the exe is subsequently run, the new function is executed first if it finds the dongle then the program runs as normal if not the program exits there and then. I know a little about the exe header format, and think I should be able to read the origional IP ,store it and replace it with the position of the code I'll be adding, if the dongle is found I assume I can just do a jump to the origional IP, otherwise exit. I will be providing a set of libraries as well so that program authors can add mutilple calls to check that the dongle is still there but I'd like to provide this quick start option as well. Cheers ------------------------------ Date: Fri, 05 Aug 94 10:50:04 -0400 From: "David M. Chess" Subject: re: Form Virus Mutation! Netware problem? (PC) > From: billt@pipeline.com (Bill Taub) > The strange thing is that we have isolated the rout of > infection- it is distributed by the network (Netware 3.12, > recently upgraded from 3.11) file-servers (Tricord model 400 - > two of them). The infected machines range in usages from Hm. What actual evidence do you have of that? The virus is a boot infector, and almost invariably spreads via diskette, not over the LAN. (It can in theory be spread by a "dropper" program, but I've never seen it happen in practice. It can also spread through some remote-boot schemes, where one machine boots from a disk or disk image stored on another, but this is also very rare). I would guess that it was actually spread by diskette in your case as well, unless you have strong evidence to the contrary. > dos-apps to windows. The infected floppies found were not > bootable, yet Form is supposed to be a boot-sector virus. > (there were no COMMAND.COM nor IO.SYS on these disks. *Any* formatted floppy is bootable (i.e. contains a boot sector with code in it), and can become infected by a boot virus. It does *not* have to be a "system" floppy, with COMMAND.COM and the system files on it. Even data-only diskettes can be infected by boot viruses; accidentally booting off of one and getting the "Non-system disk or disk error" message is sufficient to infect your hard disk. > Some machines ran fine (baring a few memory problems) except > for an audible key-click from the PC speaker. This was not > described in any listing for FORM that we encountered. You've been reading pretty poor listings! The FORM virus causes the PC speaker to click on keystrokes on the 18th of the month. - - -- - David M. Chess High Integrity Computing Lab IBM Watson Research ------------------------------ Date: Fri, 05 Aug 94 12:14:38 -0400 From: ykchung@Winkie.Oz.nthu.edu.tw (is2a) Subject: Re: junkie vir and freinds (PC) Peter Moehlmann (moehlman@athene.informatik.uni-bonn.de) wrote: > junkie but it doesn t find all . there are some variety. Any progs > which will kill this prog? Share or pay ware. I can t make boot disk Hello! You may contact f-prot's author FRISK at frisk@complex.is. He will answer your question and help you. I don't remember if AVP 2.0F or TBAV 6.22 will work. But try AVP 2.0F ( also in 140.113.204.21 ) It is pretty nice AV product. > how can I contact mcaffe or f-prot? See above. Sincerely. - -- Jimmy Chung ( Chung Yuan-Kai ) u801403@Winkie.Oz.nthu.edu.tw National Tsing Hua University bugger@ftp.cis.nctu.edu.tw Hsin-Chu, Taiwan Bugger.bbs@bbs.nsysu.edu.tw ------------------------------ Date: Fri, 05 Aug 94 12:23:18 -0400 From: ykchung@Winkie.Oz.nthu.edu.tw (is2a) Subject: Re: Junkie virus (PC) Peter Moehlmann (moehlman@athene.informatik.uni-bonn.de) wrote: > Here is one of the victims. Where can I get the progs ivscan/b ivb and ivscan ? The files I had gotten from 134.100.4.42. Now, you could also try our site. ftp.cis.nctu.edu.tw ( 140.113.204.21 ) /Msdos/antivirus files: -rw-r--r-- 1 bugger staff 301437 Jul 11 18:56 invb506d.zip -rw-r--r-- 1 bugger staff 37971 May 22 22:11 ivmanual.zip Hope this works. Sincerely. - -- Jimmy Chung ( Chung Yuan-Kai ) u801403@Winkie.Oz.nthu.edu.tw National Tsing Hua University bugger@ftp.cis.nctu.edu.tw Hsin-Chu, Taiwan Bugger.bbs@bbs.nsysu.edu.tw ------------------------------ Date: Fri, 05 Aug 94 13:02:47 -0400 From: "Y. Radai" Subject: Eli Shapira's AV products (was: MtE Virus info wanted) (PC) Eli Shapira, principal author of CPAV/MSAV/VSafe, writes: > A person needed help with a false alarm and you are using the opertunity > to bash myself, the most awarded Anti-Virus product in the industry and the > company I am working for. I plead guilty to the charge that I took the opportunity to try to get you to speak out in public about the true QUALITY of your product. > You did "forget" to mention that you are working closely with BRM which is > working with Symantec - author of Norton Anti-Virus. > > One more thing - Central Point and Symentec have merged and are now operating > as one company. So I am actually a Symentec employee for some time > now. First, if you're trying to give readers the impression that I have some kind of financial interest in BRM and am therefore prejudiced, that is totally incorrect. Secondly, I am well aware of the mergers and acquisitions which have taken place. What I don't understand is why you think that's at all relevant. It doesn't make the slightest difference to me whether Central Point, Norton, and Fifth Generation are now under one organizational hat or not, or whether you're a Symantec employee or not; I am talking about THE QUALITY OF THE SOFT- WARE WHICH YOU HAVE AUTHORED. (By the way, you really should learn to spell the name of your own company: it's Symantec, not Symentec!!) ^ ^ > Mr. Radai - you never had anything good to say about CPAV or MSAV, Well, that's *almost* an accurate statement. (I say "almost" because someone once described MSAV/VSafe on Virus-L as "a crummy, problem- causing product" and I partly [perhaps mistakenly] took your side.) > fortunatly > for Central Point - Million of users disagree with you. You mean millions of users who don't have the slightest idea of what constitutes a good product and therefore base their choice on marketing hype. I must admit that you excel in marketing. But marketing is one thing and quality is another. And it's quality which interests the people in this group. > Central Point Anti-Virus won Two PC Magazine Editor choice, Two Software > Digest awards and One Windows Sources magazine award. Now that's really a laugh. I don't think any product review of PC Magazine was more severely criticized by its readers than its 1993 review of AV products. I corresponded with Neil Rubenking and Robin Raskin of PC Magazine on this. It turns out that the editors' choices were essentially based on having a nice user interface and 3 kinds of AV modules (a scanner, an activity monitor, and integrity checking). The reviewers had no idea of how to *compare* a given module in different products. In particular, Ms. Raskin didn't have the slightest idea what a security hole was. (And to judge by your products, apparently neither do you, or at least you don't seem to care in the slightest whether your products have them.) I've never seen the other two magazines which you mention, but I note that none of them specializes in viruses. Why don't you mention the sources which do specialize in this and which have given your products a *low* rating? Sorry to have to point this out to you, Eli, but boasting about sales figures and awards by reviewers who do not have an in-depth understanding of viruses just doesn't go over very well in this group. Many of the most respected people in this group (Vesselin, Frisk, and many others) have criticized CPAV/MSAV even more severely than I have. Most important: Your entire answer is a typical reply of a person who thinks in MARKETING terms instead of in terms of PRODUCT QUALITY. How revealing it is that in your reply you COMPLETELY IGNORE THE REAL ISSUE which I raised: NOWHERE DO YOU MAKE THE SLIGHTEST ATTEMPT TO REPLY TO THE CHARGE THAT DUE TO DELIBERATE NEGLIGENCE ON YOUR PART, YOUR PRODUCTS CAUSE FALSE POSITIVES WHEN OTHER SCANNERS ARE USED AFTER YOURS HAVE LEFT (UNENCRYPTED) SCAN STRINGS IN MEMORY. And I'm just getting warmed up. I haven't even started to detail the many SECURITY HOLES in CPAV/MSAV .... Y. Radai Hebrew Univ. of Jerusalem, Israel RADAI@HUJIVMS.BITNET RADAI@VMS.HUJI.AC.IL ------------------------------ Date: Fri, 05 Aug 94 18:17:08 -0400 From: Rich Travsky Subject: Anyone reviewed McAfee's ROMShield? (PC) Info World (Aug. 1) has an article on McAfee's new ROMSheild. Has anyone here given it a test run? Any reviews on its effectiveness? Richard Travsky Division of Information Technology RTRAVSKY @ UWYO.EDU University of Wyoming (307) 766 - 3663 / 3668 "But here's an object more of dread than aught the grave contains A human form with reason fled while wretched life remains" A. Lincoln ------------------------------ Date: Fri, 05 Aug 94 19:34:41 -0400 From: fguidry@crl.com (Fran Guidry) Subject: Re: Form Virus Mutation! Netware problem? (PC) Bill Taub wrote: >Hello... > I work for a network/computer system integrator. One of our >clients has had a problem with what CPAV, MSAV, and Intel's >Landesk Vprotect/Lprotect 2.0 considers "Form" virus. Several >of the CNE's involved with the clean-up suspect it is an >altered form of FORM virus, or a new virus that matches the >pattern search. What evidence do they offer for these opinions? > The strange thing is that we have isolated the rout of >infection- it is distributed by the network (Netware 3.12, >recently upgraded from 3.11) file-servers (Tricord model 400 - >two of them). The infected machines range in usages from >dos-apps to windows. The infected floppies found were not >bootable, yet Form is supposed to be a boot-sector virus. >(there were no COMMAND.COM nor IO.SYS on these disks. Why do you believe you have "isolated the route of infection"? Pure boot-sector virus infection cannot come from the network by definition. It can only be spread by booting an infected floppy. _ALL_ formatted floppies have a boot sector. Some have bootstrap loader code, some have code that generates a "Non-system disk" message, some have boot sector virus code. > Here is another strange thing: Intel's NLM was running on >the file servers, yet the virus either spread undetected >(possibly in a dormant form), or was sitting in these machines >for some while (several months) waiting to become activated (by >date? another trigger?). Does this NLM detect boot-sector viruses with any great success? An NLM would be at a great disadvantage against these kinds of virus programs, because the virus would be resident and performing any stealth routines long before the network connection can be made. Fran ------------------------------ Date: Fri, 05 Aug 94 19:53:22 -0400 From: sikkid@axpvms.cc.utexas.edu (Banther) Subject: Re: THUNDERBYTE AV 621 (PC) patrick.noyens@cis-infoserv.be writes: >It seems that TBSCAN vers. 621 (TBAV621) wrong heuristic description gives in >the log file and at the action menu. For example get I the heuristic flag 'C', >what normaly missing ANTI-VIR.DAT files indicates, while the files do have >their ANTI-VIR.DAT setups. (created bij TBSETUP). Furthermore get I a lot of [...] This was a known problem with 6.21, and was fixed a few days after release with 6.22. It should be available at oak.oakland.edu in /pub/msdos/virus. Cheers, sikkid ------------------------------ Date: Fri, 05 Aug 94 20:21:10 -0400 From: mike.murphy@atlwin.com (Mike Murphy) Subject: F-Prot 2.13 on Boot Disk (PC) OK, I guess I am either extremely paranoid or cautious...I take the latter. I would like to make a boot disk using F-Prot 2.13 (yes, single user). I am running into problems and I believe it is attributed to MS-DOS 6.22 and using DriveSpace on my hard-drive. My point here is to boot my system with a clean boot disk, with F-Prot on the clean disk (write protected). Here are the files I have in my boot (floppy a:) disk: config.sys; autoexec.bat; ALL F-Prot 2.13 files (too lengthy to list); command.com; emm386.exe; himem.sys; ALL mouse files including mouse.com. CONFIG.SYS: FILES=40 BUFFERS=30,0 DOS=HIGH DOS=UMB LASTDRIVE=I DEVICE=A:\HIMEM.SYS DEVICE=A:\EMM386.EXE NOEMS DEVICE=A:\VIRSTOP.EXE DEVICE=A:\MOUSE.SYS AUTOEXEC.BAT: PROMPT $P$G SET COMSPEC=A:\COMMAND.COM PATH=A:\ A: F-PROT So, these are what I created in my bootable disk. F-Prot runs fine up to the point of scanning. When I scan Hard Drive, it takes about 2 seconds, scanning 10 files over 377mb. Wow pretty intense, but of course that is not a proper scan. Somewhere along the line, it is not properly scanning the drivespaced hard-drive. I would bet that I might have to add the drvspace.sys into config.sys, but I am not sure. Is it even possible to to scan from a bootable floppy using F-Prot? All help is deeply appreciated from this "extremely concerned for the welfare of my PC" (<---read...Paranoid). Thanks...Murfster - --- CMPQwk #1.4. UNREGISTERED EVALUATION COPY - ---- +---------------------------------------------------------------------+ | The Atlanta Windows BBS (404)516-0048 9 high-speed USR nodes | | Largest Win-specific BBS in the SouthEast- CDROMs, RIME, INTERNET | +---------------------------------------------------------------------+ ------------------------------ Date: Sat, 06 Aug 94 01:36:28 -0400 From: datadec@corsa.ucr.edu (Kevin Marcus) Subject: Re: Dr. Solomon's on the move! (PC) R. Wallace Hale wrote: >On Fri, 01 Jul 94 15:25:39 -0400 >bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) wrote: >>> I've regarded Toolkit as one of the best AV products available and wonder >> >>The AVTK has one of the best *scanners* available. This does not >>necessarily mean that it is one of the best products overall - an >>anti-virus product has other components too. > >Quite right, and a point I tend to overlook. Perhaps I place undue >importance on scanner quality but my primary concern is intercepting >nasty things before they can get into critical systems. That is probably the concern of many users! Some other products which have this type of technology are Integrity Master, F-Prot Professional, and Norton Anti-Virus 3.0. Of course, there are still others. - -- --=> Kevin Marcus: datadec@ucrengr.ucr.edu, tck@bend.ucsd.edu "ciafn syoo,u yroeua da rteh icso?o l ." <- Email for solution. Computer Science Dept., University of California, Riverside. .oOo.oOo. T H I E V E S S U C K .oOo.oOo. ------------------------------ Date: Sat, 06 Aug 94 01:38:46 -0400 From: datadec@corsa.ucr.edu (Kevin Marcus) Subject: Re: Seeking information on Anti.CMOS virus ... (PC) Binod Taterway wrote: >Here at Lehigh, we have found one occurence of Anti.CMOS >virus. F-PROT identifies it as Anti.CMOS, but McAfee's >VIRSCAN calls it GENB (generic boot sector virus). Neither >has been able to remove it. Both complain that they cannot >remove the virus successfully. I have looked in VSUM to >get some information on this virus, but no luck. I called NAV 3.0 detects and removes this virus. - -- --=> Kevin Marcus: datadec@ucrengr.ucr.edu, tck@bend.ucsd.edu "ciafn syoo,u yroeua da rteh icso?o l ." <- Email for solution. Computer Science Dept., University of California, Riverside. .oOo.oOo. T H I E V E S S U C K .oOo.oOo. ------------------------------ Date: Sat, 06 Aug 94 01:41:01 -0400 From: datadec@corsa.ucr.edu (Kevin Marcus) Subject: Re: AntiExe virus, Help!! (PC) G Sayeed Choudhury wrote: >I have an ANTIEXE virus on my computer. I used F-PROT version 2.12c >(shareware) which detected it but can not disinfect it. Any advice on >how to proceed (course of action, approrpriate software, etc.). NAV 3.0 detects and removes this virus (though I think you might need a somewhat new update, like maybe june or july. I'm not sure.) - -- --=> Kevin Marcus: datadec@ucrengr.ucr.edu, tck@bend.ucsd.edu "ciafn syoo,u yroeua da rteh icso?o l ." <- Email for solution. Computer Science Dept., University of California, Riverside. .oOo.oOo. T H I E V E S S U C K .oOo.oOo. ------------------------------ Date: Sat, 06 Aug 94 06:44:03 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: Re: vbait12.zip - Simple virus bait, detects COM infecting virus (PC) robertk@stack.urc.tue.nl (Robert Klep) writes: >If I remember right, the VBAIT COM-file is very small (only a few hunderd >bytes max). I wonder if that's really realistic, because LOT'S of >COM-infectors (not all of them) check for file-sizes, and small files don't >get infected. You mean this is only a single file ? .... in that case, I recommend deleting it from the hard disk as a waste of space. You see, there are for example COM-infecting viruses that will *only* infect files starting with E9 (JMP) and others that will *only* infect files that do not start with E9. In other words, there is no way any single file can get infeted with all of the COM-infecting viruses that exist. - -frisk ------------------------------ Date: Sat, 06 Aug 94 07:13:41 -0400 From: hansjc@hacktic.nl (Hans Schotel) Subject: Re: VIRUSCAN 2.x gripes & grumbles (PC) jhurwit@netcom.com (Jeffrey Hurwit) wrote: >> >> There also seems to be a bug in VSHIELD, at least on my system. I have >> an old 8088 laptop, with no hard drive (two 720K 3.5" diskette drives >> only). VSHIELD seems to load and load its data file ok, but there's >> trouble after that. At least vers. 202 counts memory correctly (vers. >> 200 reported over 1,000K, when I have only 640K). But then it tries to >> check my master boot record (I don't have one, on a floppy). Finally, >> the last thing it does is say it's checking VSHIELD.EXE, then stops >> right there, locking up my system in the process. (At least a soft >> reboot brings it back-- I don't have to turn the power off.) The old >> VSHIELD worked fine on my system, last time I tried it. >> >> I hope these comments prove useful to someone, at least to the >> developers at McAfee. In the mean time, I'm still looking around at >> other virus scanners... >From beta-testing the new McAfee for DOS I (and some others in The Netherlands) know that the new VShield has problems with memory. On my machine (486/DX2, with QEMM 7.04 as memory manager) strange things happen when VShield has been loaded and other programs start that address memory in any way (most of the times I get the "Exception #13 Error-message" from QEMM, and my (stand-alone) PC hangs (cold reboot necessary). The above has repeatedly been brought to the attention of the McAfee represen- tatives in The Netherlands, who passed it on to the USA. But, although it was stated that the problem had been solved, with the latest VShield-beta (dated 28-06-94) nothing had changed for the better, regrettably. The old VShield never had such a problem on my machine. Regards, >> - -- Hans Schotel. ------------------------------ Date: Sat, 06 Aug 94 07:13:34 -0400 From: hansjc@hacktic.nl (Hans Schotel) Subject: Re: THUNDERBYTE AV 621 (PC) patrick.noyens@cis-infoserv.be wrote: >> It seems that TBSCAN vers. 621 (TBAV621) wrong heuristic description gives in >> the log file and at the action menu. For example get I the heuristic flag 'C', >> what normaly missing ANTI-VIR.DAT files indicates, while the files do have etc., etc. Just a tip (perhaps): did you try TBAV 6.22? It came out shortly after the issuing of 6.21, because of (as I was told) some "small" bugs. Perhaps your problems will be solved by using 6.22? Regards, - -- Hans Schotel. ------------------------------ Date: Sat, 06 Aug 94 08:44:29 -0400 From: bondt@dutiws.twi.tudelft.nl (Piet de Bondt) Subject: Re: THUNDERBYTE AV 621 (PC) This message posted on Saturday 940806 ... wrote: >It seems that TBSCAN vers. 621 (TBAV621) wrong heuristic description gives in >the log file and at the action menu. For example get I the heuristic flag 'C', [...] >I would appreciate any info about this. > Warmly >Patrick Noyens (Patrick.Noyens@boardwatch.com) > Patrick, did you have the same problem with the 6.22 version which was released shortly after 6.21 became available ? Which version/type do you use ? General/optimized(which)/windows ??? Bye for now, Piet de Bondt bondt@dutiws.twi.tudelft.nl ============================================================================== FTP-Admin for MSDOS Anti-virus software at anon-ftp-site: ftp.twi.tudelft.nl ------------------------------ Date: Sat, 06 Aug 94 09:38:00 -0400 From: CL-28951@cphkvx.cphk.hk Subject: Virus Found, Please help (PC) My friend's company got Virus on its Novell Netware LAN. He use the Scan116, F-prot, Dos6.0 to scan the hard-drive, but no virus was found. The symptons of the virus as follows: 1. The system always hang up. 2. When you issue the DIR command, the file size for the .EXE files was increased. 3. The memory size of the computer was reduced. If you have any idea to clean this virus, please Email me on the following Address: Cl-28951@Cphkvx.cphk.hk" If you would like to get the sample of the virus, Please instruct me how to get a sample virus from the system, and how to send the virus to you by E-mail on a safe way. Thanks Philip Tong Cl-28951@cphkvx.cphk.hk ------------------------------ Date: Sat, 06 Aug 94 14:39:08 -0400 From: dhess@ccwf.cc.utexas.edu (Dean) Subject: Stealth C Virus (PC) Does anyone have information regarding the Stealth C Virus? Several friends are finding it on their floppies and hard drives. I've used f-prot 2.13 to disenfect the virus, but need to know if they are really gone and how can we protect our machines from the virus? Any info is appreciated. Dean dhess@ccwf.cc.utexas.edu ------------------------------ Date: Sat, 06 Aug 94 15:08:53 -0400 From: cannon@nic.com (Kevin Martin) Subject: Re: VIRUSCAN 2.x gripes & grumbles (PC) jhurwit@netcom.com (Jeffrey Hurwit) wrote: > Dare I even write this? I see almost no discussion of McAfee's > VIRUSCAN on either group I'm posting this to. I have to say, having > tried the new generation of VIRUSCAN, the previous one was better. FWIW, I agree. I tried v2 on my system, and it kept telling me that one of my data files (!) was infected with SWISS.EXE. (It isn't.) The file in question is a text file of alternate autoexec.bat versions, delimited with a YEN character (Alt-157). Could VIRUSCAN 2 be trying to use a one-byte signature? :-( - -- cannon@nic.com (Kevin Martin) ! Brass Cannon Consulting/Midland Park, NJ ------------------------------ Date: Sat, 06 Aug 94 19:43:36 -0400 From: "Fabio Esquivel C." Subject: Server downing virii - Netware corruption? (PC) In a previous message, Fran Guidry mentioned to have experienced file=20 corruption on a Novell Netware with NetShield loaded at the server. I would like Fran to give more details on how did that happen. \___/=20 (O o) - ----------------------------------oOo-U-oOo--------------------------------= - -- Fabio Esquivel - University of Costa Rica | C:\GAMES>a:install fesquive@cariari.ucr.ac.cr (163.178.101.5) | Blood_Drinker virus found! fesquive@bribri.ci.ucr.ac.cr (163.178.101.8) | Apply, Kill, Panic? _ =09=09=09 "Up the Irons!" - 8=AC) - ---------------------------------------------------------------------------= - --- __|||__ (__/^\__) ------------------------------ Date: Sat, 06 Aug 94 21:22:22 -0400 From: Mark Shnayer Subject: Re: AntiExe virus, Help!! (PC) G Sayeed Choudhury writes: >I have an ANTIEXE virus on my computer. I used F-PROT version 2.12c >(shareware) which detected it but can not disinfect it. Any advice on >how to proceed (course of action, approrpriate software, etc.). > >thanks in advance. > >Sayeed >choud_gs@jhunix.hcf.jhu.edu I discovered this Anti-Exe virus with Thunderbyte 6.22. Please also send any info/help. I dont have a CLEAN boot disk it seems because it still shows in memory. Any help much aprreciated(email only!). markshnayer@delphi.com ------------------------------ Date: Sat, 06 Aug 94 21:56:36 -0400 From: Iolo Davidson Subject: MtE Virus info wanted (PC) elis@teleport.com "Eli Shapira" writes: > Central Point never had to release a maintenance release for Central > Point Anti-Virus since the day the product was announced. I disagree. It is however true that they failed to do so. - -- WITHIN THIS VALE YOUR HEAD GROWS BALD OF TOIL BUT NOT YOUR CHIN AND SIN Burma Shave ------------------------------ Date: Sun, 07 Aug 94 08:46:09 +0000 From: ianst@qdpii.ind.dpi.qld.gov.au (Ian Staples) Subject: Re: VIRUSCAN 2.x gripes & grumbles (PC) jhurwit@netcom.com (Jeffrey Hurwit) writes: >one thing, the new version is incredibly bloated. The executables in That's bad. >The docs claim that the new SCAN is faster, and indeed it is. It scans That's good. >both memory and files much faster than the old SCAN. Unfortunately, it >takes longer to load the (external) data files. If you're scanning an >entire hard drive, there is a net gain, but not if you're only scanning >a diskette or a few files. That's bad. >The new VIRUSCAN also seems to lack some useful and essential features >that the old one had. SCAN 2.x no longer has the /MANY option, for ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ That's absurd! Just subjective judgements you understand :-) - -- Ian Staples E-mail : ianst@dpi.qld.gov.au c/- P.O. Box 1054 MAREEBA Phone : +61 (0)70 921 555 Home 924 847 Queensland Australia 4880 Fax : +61 (0)70 923 593 " " " ------------------------------ Date: Sun, 07 Aug 94 16:46:15 -0400 From: kabreuer@cip.informatik.uni-erlangen.de (Klaus Breuer) Subject: How to remove FORM from PC bootsector? (PC) Hello! Darn! After being extremely careful all this time, I've finally caought a virus - ThunderByte v6.20 detects it as Form Virus. Now this is sitting on my 1.2GB drive - how do I get rid of it without a damn reformat? FDISK /MBR does nothing, and the Immunize/Clean Bootsector of TB doesn't work either. Any ideas? I must admit to having very little experience in such things. Ciao, Klaus - --- Klaus Breuer, Rudelsweiher Str. 6b, 91054 Erlangen, Germany "Geez, I need a _reason_ for everything?" -- Calvin "Should I or shouldn't I? Too late, I did!" -- Hobbes ------------------------------ End of VIRUS-L Digest [Volume 7 Issue 65] *****************************************