VIRUS-L Digest Wednesday, 17 Aug 1994 Volume 7 : Issue 70 Today's Topics: Re: Virus Definition Revisited... Re: Finger daemon virus information service Re: Comments and Observations......... Re: Re| Viruses = Commercial Opportunity? Virus signatures Re: Netcom distributing viruses Re: Virus Life? Re: Re| Viruses = Commercial Opportunity? Re: Looking for Virus Scan Strings Re: Unix Virus Attacks and Scanner (UNIX) Re: Virus Found, Please help (PC) Re: How to remove FORM from PC bootsector? (PC) Re: TranScan (PC) Re: Re| FamM virus (PC) Re: Smeg viruses (PC) Re: changing genP/genB virus (PC) Re: Viruses & TSRs (PC) Re: Fixing the boot sector of a floppy? (PC) Re: boot diskette (PC) Re: "Parity Boot" virus of Germany and Virus Buster (PC) Re: Invisible Man... (PC) Re: Re; [News] "Horse" virus? (PC)(Anywhere else?) Re: virus construction labratory (PC) Re: Whisper Presenterar Tai-Pan (PC) Re: SMEG Virus Test (PC) Re: Lenart? or CPAV blof. (PC) Re: Help Win 32 Bit File Virus? (PC) Re: YK2885 What does this virus do ? (PC) Re: Rosenthal Virus Simulator (VIRSIM2C.ZIP) (PC) Re: Rosenthal Virus Simulator (VIRSIM2C.ZIP) (PC) Re: Q/A about Norman Virus Control (PC) Re: Rosenthal Virus Simulator (VIRSIM2C.ZIP) (PC) Re: ANSI bombs (PC) Re: whisper virus (PC) Re: Norman Virus Control and Satan Bug (PC) Re: Rosenthal Virus Simulator VIRSIM2C.ZIP (PC) 666 virus (PC) Re: Viruses & TSRs (PC) ThunderByte Anti-Virus v6.23 Released! VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CORSA.UCR.EDU (IP number 138.23.166.133) or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CORSA.UCR.EDU. Administrative mail (e.g., comments, suggestions, beer recipes) should be sent to me at: krvw@ASSIST.MIL. All submissions should be sent to: VIRUS-L@Lehigh.edu. Ken van Wyk ---------------------------------------------------------------------- Date: Tue, 16 Aug 94 15:21:24 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Virus Definition Revisited... Brian H. Seborg (bseborg@fdic.gov) writes: > I like Padgett's suggestion to add the constraint that the virus be > "functionally similar" to it's parent; however, I know of several examples > of viruses for which this is not currently the case. I'll site one example > later. Also, I think that in the future we may see viruses where this is > not necessarily the case. For example, if we ever have polymorphic viruses > that actually are capable of generating functional code variants (as opposed > to just viruses with variable decryptors), then we could have a case were the > child viruses of the original parent may be functionally dis-similar, and in Exactly. I can provide even better examples: 1) The Kampana and Hafenstrasse viruses carry another virus within themselves (Kampana_Boot and Ambulance respectively), and occasionally "drop" it. The virus is able to replicate further by itself, but is unrelated and functionally dissimilar to the parent that has dropped it. 2) The Delwin.1759 virus that I had to analyse recently (it's in the wild in Germany) modifies its activation date, based on the time of infection. 3) It is easy to imagine a virus (although I cannot think of a particular example) that would play random tunes or display random patterns on the screen - a different one in each new replication. > "We define a computer 'virus' as a self-replicating program that can 'infect' > other programs by modifying them or their environment such that a call to an > 'infected' program implies a call to a possibly evolved, and in most cases, > functionally similar copy of the 'virus'." > --Seborg's modification to Cohen's definition with help from > Peterson :-) This is one of the most sensible definitions of the term that I have seen. > and a few of articles would have been enough, silly me! :-)) I can see that > his definition of computer viruses, is not the same as that generally > accepted by most researchers in the field (no surprise to Vesselin Bontchev > who must have actually read Fred's book as well :-)). For example, I was Nope, I have not read his book - haven't found it yet - but your mistake has been in reading "few" articles from him. Most of his ideas are published as a huge number of papers in the scientific journals (mostly in "Computers & Security"). I have read the most of them and am not surprised to see that I am already familiar with the ideas he expresses in his books. > surprised to see that Dr. Cohen considers the Internet Worm to be a virus > while most purists would consider it a Worm. Yep. Actually, he does make the difference between a worm and a virus, considering the worm as a particular case of a virus. Unfortunately, neither of the two definitions (for "worm" and for "virus") is useful for practical reasons. I could dig up the exact reference of the paper where those defintions are described, if you are interested. > He also considers the IBM > e-mail Christmas card incident as another case of a virus. Again, most Yep. And also DISKCOPY. He says that a virus is a virus only in a particular environment and it doesn't make sense to consider it outside of this environment. In the particular cases of CHRISTMA EXEC and DISKCOPY, the environment includes the human operator who manually spreads the virus further. > However, be that as it may, if we are going to look at the term computer > virus in terms of its biological equivalent, then it seems that my modified > definition is more in line with this objective since to define it otherwise > would be to do the biological equivalent of grouping viruses (see Webster's > Dictionary if you think it should be viri :-)), bacteria, and parasites into > the same group (while it is true that some bacteria are parasites and some > parasites are bacteria, we would never say that all parasites are bacteria, > nor that all bacteria are parasites). I will not debate the merits or lack Indeed. It seems that his definition of the term "virus" as "a program that reproduces" is more appropriate for the contest for definitions of the term "artificial life" than of the term "computer virus". Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 16 Aug 94 15:29:29 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Finger daemon virus information service Henrik Stroem (hstroem@ed.unit.no) writes: > I think you are wrong ;-) It is trivial for any programmer with some > knowledge of C and UNIX and daemons, to write a fingerd that displays > the contents of a file when the name of that file is fingered. Point taken. Admittedly, I am not a Unix guru. > The big advantage of using something as simple as a fingerd is that > a finger program is supplied as a part of almost any system with TCP/IP > support, on most platforms. Whereas a gopher client or a mosaic client > is not. E-Mail is hard to setup and is typically not within reach for > many non-UNIX users. In addition the finger program is incredibly easy > to use, and runs with minimal hardware and software requirements. I disagree here. It is trivial for me as a user to install such a mailer on my account - I could even hack something using the filter(1) program that comes with elm(1). However, in order to install a modified finger daemon, I need root privileges, which I don't have here, or to pester the local sysadmin to do it for me. :-) Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 16 Aug 94 15:31:35 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Comments and Observations......... Steven W. May (swm107@crane-ns.nwscc.sea06.navy.mil) writes: > I would like to see this group contain more in the line of what > viruses are in the wild, where, what these viruses do etc. I think it > would be beneficial to the computer world at large for this group to > cooperatively develop a complete and useful database of > information concerning the virus problem and known viruses. I have It is unlikely that such a database would be created by the participants of this forum. They are either people who are looking for information (i.e., do not know), or people who are anti-virus researchers and are too busy with other things (mostly - developing their own products), or people who are interested mostly in the debates and not in particular technical information. :-) > heard that one was started and available for FTP somewhere but I did > not get the whole story on it. I understand that VSUM is not worth > the time it takes to do the DL. The FAQ contains some useful pointers to such information. Two sources that are not mentioned there are: 1) CARObase - a project started by the CARO members to create standartized, technical virus descriptions of many viruses. The project doesn't advance very well, mostly because the people involved in it are busy with other things. There are only about 40 descriptions ready; you can get them from our ftp site: ftp.informatik.uni-hamburg.de:/pub/virus/texts/carobase/carobase.zip 2) The help system of the anti-virus product AntiVirus Pro contains a lot of virus descriptions, together with visual and demonstration effects of many (hundreds) of viruses. It is also available from our site: ftp.informatik.uni-hamburg.de:/pub/virus/progs/avp200af.zip Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 16 Aug 94 15:32:38 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Re| Viruses = Commercial Opportunity? Kazatski Oleg Nikolaevitch (kazatski@kartaly.chel.su) writes: > Are there the antivirus programm that can find nearly 4500 viruses ? Yes, there are. For instance, during my latest tests, BRM_Scan (a product under development, by the same people who made Untouchable) detected 4,494 different viruses. FindVirus detected 4,451. F-Prot detected 4,370. AVP detected 4,145 file viruses (98% of them, the highest detection rate), but I was unable to test it for boot sector virus detection. Of course, all this does not mean that those scanners are able to distinguish between all those viruses. The champion here is F-Prot, which reported 4,081 different names. The tests were made with 4,593 different file and boot sector viruses. > > > (use Joe Wells' list, for example). > ^^^^^^^^^^^^^^^ > What is this ? A list maintained by Joe Wells from Symantec. It contains the names of the viruses that have been verified to be in the wild during the last two years. Several anti-virus researchers contribute to the list. The latest version can be obtained from our ftp site: ftp.informatik.uni-hamburg.de:/pub/virus/texts/viruses/wild*.zip It also gets regularly published here. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 16 Aug 94 20:52:56 -0400 From: diegom@pts.mot.com (Diego Montanez) Subject: Virus signatures Hello, I have to do a programming project and I inted to make a simple file-infecting virus scanner. My question is: how does the commercial antivirus scanners accomplish this task and, where could I get a library of virus signatures to use with my program? Thanks in advance, Diego - -- +----------------------------------------+ | Diego A. Montanez - diegom@pts.mot.com | | Phone: (809) 855-2000 Ext. 2520 | +----------------------------------------+ ------------------------------ Date: Tue, 16 Aug 94 23:38:19 -0400 From: tracker@netcom.com (Craig) Subject: Re: Netcom distributing viruses Fridrik Skulason (frisk@complex.is) wrote: : Netcom's policy on making viruses available via FTP is: : >Viruses and information relating to viruses are not, at this time, : >controlled code. We allow users to make available via anonymous FTP any : >and all data as long as it is legal, which viruses, viral source code, and : >newletters published by virus groups are. It is not placed there by : >Netcom, and it's distribution is not necessarily endorsed by Netcom. And this is what's wrong US laws. Until business(es) are damaged by viruses, law enforcement couldn't give a rat's ass about viruses, viral source code, etc., being publically available, for free or money. Maybe someday the US laws will get out of the dark ages and start updating the laws to cover these areas. - -- ------------------------------ Date: Wed, 17 Aug 94 00:54:23 -0400 From: ian@bvsd.k12.co.us (Ian S. Nelson) Subject: Re: Virus Life? frisk@complex.is (Fridrik Skulason) writes: >shornik@shadow.net (Steve Hornik) writes: >>I just read an article in The Miami Herald which reports Steven Hawking >>saying that "I think computer viruses should count as life". >Well, he is entitled to his opinion...but in this case I wouls tend to >disagree rather strongly with him...check out comp.ai.alive for related >discussion. >- -frisk Well, he isn't exactly in the same league with Feynman.. He's a sharp guy, probably just a bit under-educated in computer viruses. It was an entertaining article though. - -- Ian S. Nelson I speak for only myself. Finger for my PGP key. ------------------------------ Date: Wed, 17 Aug 94 01:26:30 -0400 From: datadec@corsa.ucr.edu (Kevin Marcus) Subject: Re: Re| Viruses = Commercial Opportunity? Kazatski Oleg Nikolaevitch wrote: >> > 3) Do you really need to detect 4500 viruses to be a useful product? >> > There are many other products which don't detect nearly that many >> > which still sell *quite* well. > > Are there the antivirus programm that can find nearly 4500 viruses ? Since I don't have nearly that many viruses to test, I can't say for sure, but there are such claims. I do know, however, that when used properly, for example, the Innoculation feature in NAV 3.0, you can detect just about any virus, and repair it, as well. >> > 4) While you will get opposite answers from just about everyone here, >> > consider: Viruses in the wild are considerably more important to detect/ >> > remove than viruses *not* in the wild. Those should be highest priority >> > (use Joe Wells' list, for example). > ^^^^^^^^^^^^^^^ > What is this ? Joe Wells (some guy in CARO) publishes a list of which other vendors (mostly CARO members from what I remember seeing last, though it might have been ALL CARO, I don't remember), have reported as a confirmed virus at some location. It basically gives you a rough idea of where viruses are around, and a good idea to which viruses are proliferating well, vs. ones that are just dudes and not doing anything. - -- --=> Kevin Marcus: datadec@ucrengr.ucr.edu, tck@bend.ucsd.edu "ciafn syoo,u yroeua da rteh icso?o l ." <- Email for solution. Computer Science Dept., University of California, Riverside. .oOo.oOo. T H I E V E S S U C K .oOo.oOo. ------------------------------ Date: Wed, 17 Aug 94 01:28:28 -0400 From: datadec@corsa.ucr.edu (Kevin Marcus) Subject: Re: Looking for Virus Scan Strings Fridrik Skulason wrote: >However - the number of viruses that cannot be (reliably) detected with a >search string is growing...fast. I agree! >Simple, sequential string search is an outdated mechanism for detecting >viruses anyhow... So, what would you suggest is a better alternative? It seems that wildcarded search strings are the next step right after regular search strings, but after that, what would you suggest? - -- --=> Kevin Marcus: datadec@ucrengr.ucr.edu, tck@bend.ucsd.edu "ciafn syoo,u yroeua da rteh icso?o l ." <- Email for solution. Computer Science Dept., University of California, Riverside. .oOo.oOo. T H I E V E S S U C K .oOo.oOo. ------------------------------ Date: Tue, 16 Aug 94 15:34:56 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Unix Virus Attacks and Scanner (UNIX) Pete Radatti (radatti@cyber.com) writes: > Unix system was infected with a file infector. I have not completely > finished my study of how the virus was able to target the executable, > however using 2 different virus scanners an msdos virus was found infecting > a Unix executable. The executable was created on the Unix system by > compiling. The virus did not have the same effect on the Unix system as > it would have on an Msdos system. The SA also reported that a week after Could you please tell us the particular brand of Unix involved (Linux? Xenix? Something else? Version?) and the particular MS-DOS virus involved, so that we could do some tests here? Thanks. Also, what was the name of the infected file? Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 16 Aug 94 13:26:00 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Virus Found, Please help (PC) CL-28951@cphkvx.cphk.hk (CL-28951@cphkvx.cphk.hk) writes: > My friend's company got Virus on its Novell Netware LAN. He use the > Scan116, F-prot, Dos6.0 to scan the hard-drive, but no virus was found. This means that either it is a new virus, or that there is no virus. > The symptons of the virus as follows: > 1. The system always hang up. This does not necessarily indicate a virus infection. > 2. When you issue the DIR command, the file size for the .EXE files > was increased. > 3. The memory size of the computer was reduced. Those twy symptoms, however, and especially the first of them, indicate with almost 100% certanity that there is indeed a virus. And, since the popular scanners did not detect it, it means that it is a new virus. > If you would like to get the sample of the virus, It is always a good idea to send a new virus to the well-known anti-virus researchers, or at least to the producer(s) of the anti-virus program(s) that has/have failled to detect it. > Please instruct me how to > get a sample virus from the system, and how to send the virus to you > by E-mail on a safe way. To get a sample is simple - just take one of the files with increased size. The smaller the file is, the better. Regarding the "secure way" - - it depends. The different anti-virus researchers have different requirements. We, for instance, always suggest the usage of PGP - my public key is on the keyservers. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 16 Aug 94 13:39:11 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: How to remove FORM from PC bootsector? (PC) Klaus Breuer (kabreuer@cip.informatik.uni-erlangen.de) writes: > Darn! After being extremely careful all this time, I've finally > caought a virus - ThunderByte v6.20 detects it as Form Virus. > Now this is sitting on my 1.2GB drive - how do I get rid of it > without a damn reformat? Either use a good virus remover, or simply cold-boot from an unfinected, write-protected system diskette, containing the same version of DOS that your hard disk is formatted with, and do a SYS C: This will get rid of this particular virus from the hard disk. > FDISK /MBR does nothing, and the Of course. The virus is not in the MBR, it is in the DOS boot sector of the active partition. > Immunize/Clean Bootsector of TB doesn't work either. I am not very familiar with this program, but I suspect that you have to install it *before* your get infected and only then you can use it to remove a boot sector infection. Check the documentation of the product for more information. > Any ideas? I must admit to having very little experience in > such things. I noticed that you are from Germany. It would be more effective (time-wise) if you call our VTC directly when you suspect a virus problem. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 16 Aug 94 15:25:23 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: TranScan (PC) Jim Wood (jwood@az15eh09.iac.honeywell.com) writes: > Has anyone heard of or used the TranScan virus detecting software? Where did you get it from? What platform is it for? IBM PC? The only program by this name that I know is an internal utility developed by S&S International. It does not detect viruses - instead, it detects non-viruses which are often found in the virus collections. It is used to quickly weed out the shaft from such collections. If this is what you mean, it does not have a price. It is not for sale. You are not supposed to have it. :-) Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 16 Aug 94 15:31:52 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Re| FamM virus (PC) Kazatski Oleg Nikolaevitch (kazatski@kartaly.chel.su) writes: > The Family [Fam] viruses are a number of viruses, usually very recent, > using standard viral code. SCAN is able to detect them through generic > detection, but CLEAN does not have the ability to remove those. As > with the GENB and GENP viruses, please forward a copy of an viruses of > this sort to McAfee Associates for analysis and identification. This is a direct quote from SCAN's documentation and, as many other things there, it is wrong. SCAN reports like that dozens of completely unrelated viruses. It detects them by sets of very generic (with a lot of wildcards) scan strings, designed to match some common routines used in viruses. It is a kind of heuristic and does not identify any particular virus (therefore it is impossible to tell "what the FamM virus does"). Just as in the case of Genp/Genb, this means "I have found something very suspicious and am pretty sure that it is a virus, but I have no idea which particular virus this might be". Users are advised to use a scanner that can do better identification, in order to figure out which particular virus they have. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 16 Aug 94 15:31:44 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Smeg viruses (PC) J M Hicks (cudat@csv.warwick.ac.uk) writes: > Is it really true that the computer has to be taken apart? If so, No. > I'm always disturbed by reports that software can damage hardware. Most (all) of those reports are either urban legends or concern outdated/defective hardware. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 16 Aug 94 15:32:01 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: changing genP/genB virus (PC) Jay_Leiser (jayl@dorsai.dorsai.org) writes: > I need some info. We got a virus that is detected as the stealth genb > when booting from hard drive and when booting from floppy it is detected > as a stealth genp. In addition this virus was detected as the newbug genp. > Any information regarding theses viruses would be greatly appreciated. You are obviously using McAfee's SCAN. Unfortunately, it is rather pitiful at virus identification, so I have problems to determine which virus exactly has infected your computer. As usual I would suggest a product that does this job better - for instance, F-prot. The virus that SCAN calls "Stealth [Genb]" is either Stealth_Boot.A or Stealth_Boot.C - probably the latter. It is based on a virus written by Mark Ludwig and published in his book that teaches the people how to write viruses. Don't forget to send him a message, telling him how much you appreciate his efforts. I suspect that in your particular case you have the .C variant, because it is more widespread than .A, but only a scanner that can distinguish between the variants will be able to tell you for sure. The fact that SCAN says "Genb" (as opposed to "Genp") suggests that it has found the virus on a boot sector. Since this virus is an MBR infector, I conclude that you see this report only on floppies. Am I correct? The "Genp" "variant" is found on your hard disk. Actually, it is the same virus. I fail to see how the same virus can be detected also as NewBug - this is how SCAN calls the AntiEXE virus (variants .A and .C again). This is a completely different virus and is also in the wild. It is unlikely that you are infected by both of them, but nevertheless, try running a better scanner and tell me what does it say. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 16 Aug 94 15:32:19 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Viruses & TSRs (PC) Mark J. Miller (mjm@tardis.svsu.edu) writes: > 1. What antivirus products are available for scanning in compressed > partitions? (dos) None. Just load your driver to access the compressed partition from a known clean copy and use a normal scanner to scan the mounted volume. > 2. How easy is it for a virus to defeat an antivirus product loaded as a tsr? > (dos) Very easy. Therefore, you must always make sure that no virus is present in memory before you do any virus hunting. The best way to do it is to boot from a clean floppy. > 3. Given the following scenario: > - fprot's virstop is loaded as a device driver. > - netware is loaded > - virstop is "rehooked" using the /rehook option > How easy is it for a virus to circumvent virstop's protection? Very easy. VirStop is a resident scanner, so any completely new virus will be able to bypass it. In the light of this question, maybe in your question 2. you mean that the anti-virus product is loaded in memory, not the virus? Then the answer again is "very easy". If the product is a scanner, the virus must be just a new virus. If the product is anything else, the virus could use tunnelling and stealth, or simply patch the program in memory and disable it. > 4. Is a product like fprot's virstop susceptible to the same weakness, when > it's loaded as a device driver without netware being loaded. As a scanner, it is most susceptible to viruses it doesn't know about. Also, VirStop has the problem of being unable to detect the very polymorphic viruses - even if they are detected by F-Prot. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 16 Aug 94 15:32:10 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Fixing the boot sector of a floppy? (PC) renrick tulloch (rtulloch@lynx.dac.neu.edu) writes: > Alot of are floppies were infected by the Genb and Genp virus, > which effects the boot sector. Repeat after me: THERE IS NO SUCH THING AS *THE* GENB/GENP VIRUS. It is a way of McAfee's SCAN to tell you "your boot sector/MBR seems to be infected but I have no idea which particular virus it might be". > Is there a way to overwrite th boot > sector of the floppy with out deleting the contents of the disk. Yes. You could use SYS A:, if you have enough room on the diskette for the files of the operating system. Alternatively, you could use Padgett's FixFBR, if you don't mind your diskette to become non-bootable. > EX: I know you can fix the boot sector of the hard drive with the > command fdisk /mbr but is there a command for diskettes that will do > this? No, there is no exact equivalent. I wish that SYS had an option (e.g., SYS/DBS) to put only a copy of the DOS Boot Sector on a floppy (without the operating system files). Unfortunately, neither Microsoft nor IBM nor Novell have listened to my suggestions. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 16 Aug 94 15:32:28 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: boot diskette (PC) herb_rabinowitz (herb@dorsai.dorsai.org) writes: > if using the new scn program by mcafee..what files must be put on a > diskette to clean the system if a virus is found If by "new" you mean version 2.x of the scanner, then you need the following files on a bootable diskette that has to be used for disinfection: SCAN.EXE SCAN.DAT CLEAN.DAT NAMES.DAT Of course, you will also need DOS itself, and whatever other drivers are needed to access your hard disk and/or network. Note that you need at least a 720 Kb diskette in order to fit all those files on it; a 360 Kb diskette won't do. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 16 Aug 94 15:34:42 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: "Parity Boot" virus of Germany and Virus Buster (PC) John A. LaCour III (jal@mcs.com) writes: > An associate claims that a disk given to him from someone else in the > company is infected with the "Parity Boot" virus. You mentioned "Germany" in your Subject: line. The Parity_Boot.B virus is indeed extremely widespread there, so I assume that your associate is indeed infected by it. > His AVS, Virus Buster, is what lead him to this conclusion. The product is probably right. > I'm unfamiliar > with this software or this virus. I am not very familiar with this software either (except that I have tested it and remember clearly that it wasn't very testable), but I am familiar with this virus. > I suspect either he was already infected, > or this program does a lousy job at keep signatures and/or scanning them. The virus is rather well-known and widespread, so, regardless of the quality of the program, I suspect that it is right. > Please email me any information you have about this virus and/or comments > on this anti-viral software 'Virus Buster'. I am e-mailing you a copy of this message. The virus is described in our Computer Virus Catalog and the FAQ describes how to get it. In short, this is an MBR stealth infector, which attempts to survive a warm reboot (and even succeeds on some machines). It is not intentionally destructive, but sometimes displays the message "PARITY CHECK" and hangs the computer. The quality of the Virus Buster program that I tested was rather low. It did not conform to several conditions that an easily testable program should conform to. As a consequence of this, I couldn't test its boot sector virus detection. The file virus detection rate was 50%, which is *very* insatisfactory. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 16 Aug 94 15:56:29 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Invisible Man... (PC) leonardo@kuc01.kuniv.edu.kw (leonardo@kuc01.kuniv.edu.kw) writes: > We are having a problem with the "Invisible Man" Virus. Does > any body know of a way out? We have been trying with it for a long > time, but to no avail. Any one has experience with sort of thing? This is a family of very polymorphic viruses of Italian origin. The family contains two variants - 2926 and 3223 bytes long respectively. McAfee's CLEAN version 117 is able to disinfect the first variant, but not the second. SCAN 2.10 does not detect the first variant at all and does not detect reliably the second, let alone disinfect them. IBM Antivirus/DOS 1.06 detects both variants with the same name, which means that it won't be able to disinfect them. Dr. Solomon's FindVirus 7.01 detected and identified correctly both variants, and claimed to have disinfected both of them, but actually left part of the second variant still appended to the files. Any other scanner that I tested either was unable to disinfect this virus, or even didn't detect it at all. > If so, please send me a mail at leonardo@kuc01.kuniv.edu.kw . I am sending you a copy of this message. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 16 Aug 94 16:00:39 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Re; [News] "Horse" virus? (PC)(Anywhere else?) Oleg Nickolaevitch Kazatski (kazatski@kartaly.chel.su) writes: > > >Has anybody got information on the "Horse" virus? A friend of mine > > >reported detecting it, I think with PC Tools Antivirus(?), > There are several viruses "Horse". > - ------------------------------- SCAN. DOC -------------------------------- [Extract from VIRLIST.TXT deleted.] The file VIRLIST.TXT is COMPLETELY USELESS as a source of correct information about viruses and shouldn't be relied upon. It lists viruses that are never reported by SCAN, viruses reported by SCAN are never listed there, it lists viruses that do not exist, many viruses have their properties wrong, and so on. Beware. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 16 Aug 94 16:02:41 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: virus construction labratory (PC) ROCKFOR101 (rockfor101@aol.com) writes: > Has anyone heard of a piece of software called "Virus Construction > Labratory"? Yes. It is a clumsy point-and-click program that generates viruses which sometimes work. With it every idiot can generate a moderately annoying virus. It's purpose is just that - to allow even the idiots who have no clue about assembly language programming to create viruses. > If so where might I find it? On the virus exchange BBSes, but why would you need it? Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 16 Aug 94 16:17:59 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Whisper Presenterar Tai-Pan (PC) The Killer (tarshom@iia.org) writes: > Does anyone have any knowledge of the Whisper Presenterar Tai-Pan virus? Yes. This is a relatively new virus (I first heard about it a couple of months ago and was able to obtain a sample less than a mounth ago) but nevertheless seems to be relatively widespread. We have reports from several countries, including Germany. > I had a difficult time discovering this virus due to the fact that it > could not be detected with Norton, MSAV, or PCTools 8.0 AV. It adds Of all scanners that I have here, only Dr. Solomon's FindVirus 7.01 detects and disinfects it reliably. SCAN 117 and 2.10 also detect it, but are unable to disinfect the infected files. > about 500 bytes to infected files (Only exe's under 64k) with the message > Whisper Presenterar Tai-Pan printed within. I was able to delete my The infective length is 438 bytes. > infected files by using scanning for them with TBAV, but I am still > curious of what damage the virus may have done if I left it on my > system. Does it activate on a certain date? Has anyone even heard of > this virus? It is a memory-resident EXE-only infector. Infects on execution (i.e., not on copying) files that contain 'MZ' in their first two bytes and which are smaller than 64,834 bytes. Does not have any activation date or in fact any kind of payload. Just replicates. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 16 Aug 94 16:29:31 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: SMEG Virus Test (PC) Amir Netiv (Amir_Netiv@f120.n9721.z9.virnet.bad.se) writes: > FS> Sometimes an infection by those viruses ... Queeg in > FS> particular....seems to create a corrupted file ... > FS> when it is run, it does not decrypt correctly, and will > FS> most probably crash the machine. > > Its time ypu people stop making this unreal tests and everybody will not have > to appologize so much for not knowing one particular virus or another that has > no imlications what so ever on the real market. This attack was uncalled for. Luca Sambucci's tests are rather professional - quite unlike the usual junk that we see in the computer magazines. It is true that in this particular case he as missed a bug in the virus that causes it sometimes to generate "dead" replicants, but this is by no means a reason to generalize and attack his tests in such a way. Everybody can make a mistake, the important is that they learn from them. I certainly would like to see more tests like those that Luca produces, compared say, to the "tests" I have recently seen in BYTE. > FS> and I strongly suspect that the reason all the programs missed some > FS> Queeg "samples" is that they wre files of this type. > And so is any "new" virus that you might create for an "independed" test to > say which is the best AV by saying which detects more useless viruses. What are you talking about? No respectable anti-virus researcher would create a virus just for the purposes of a test - especially for the purposes of a scanner test. Everybody knows that scanners can detect only known viruses, so it is useless to test them with new, freshly created ones. > however if you create a new virus and what to test AVs, use integrity checking > heuristics, generic detection and cleaning etc... because that in my opinion > will be the reality in the neer future. Are you saying this because the scanner in your own product performs so poorly? If the methods that you suggest were really so effective and usable, the users would already be using them - they are nothing new. Unfortunately, most users do not know how to interpret properly the alerts from integrity checkers and heuristic analysers, and don't want to learn either. Besides, for the purposes of testing an integrity checker one wouldn't create a virus; one would write a program that excercises the known anti-integrity attacks and watch how the integrity checker reacts. > Warmly That was rather "hotly", methinks... :-) Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 16 Aug 94 16:35:37 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Lenart? or CPAV blof. (PC) Amir Netiv (Amir_Netiv@f120.n9721.z9.virnet.bad.se) writes: > CPAV (of all versions, windows or not) is known to do that, it alarms on > perfectly clean and good BootSectors as infected by all kinds of things, and > rermarkably enough even "cleans" them (ThTh virus (?)) in most cases the trick > works (a useless bye or some are modified in the BS) and the virus is > presumably "cleand", in other cases like your own...it fails! You know the > rest... While CPAV is indeed a pile of junk, I have never seen it doing what you describe - reporting a perfectly innocent floppy disk as infected. Can you send me an *uninfected* floppy on which CPAV finds the Lenart virus? I bet you can't. > I'm afraid... Hmmm...no actually I'm happy, to tell you that you probably had > nothing there, but now you do! You are wrong. There is a particular virus (AntiEXE or AntiCMOS, not sure which one) that is detected as "Lenart" by CPAV. The original poster indeed had a virus and now has a screwed up boot sector, because of CPAV's sloppines. > * Amir Netiv. V-CARE Anti-Virus, head team * I really expected you to be more knowledgeable. Is the quality of your product as "good" as your advices? Hmm, I've tested only the scanner, and it is indeed that "good"... Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 16 Aug 94 16:41:29 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Help Win 32 Bit File Virus? (PC) Amir Netiv (Amir_Netiv@f120.n9721.z9.virnet.bad.se) writes: > Remember to boot from a clean DOS floppy first. > If you want another assurance for the existance of a Boot sector (or MBR) > virus on your machine) run CHKDSK and look at the summary: if total memory is > less then 655360 it might indicate a virus of this kind. You are wrong. First, if he boots from a clean floppy first, there will be no virus in memory, and therefore CHKDSK will not display any memory decrease. Second, the number quoted by you is valid only for systems with 640 Kb conventional RAM. Third, please check the FAQ, question C11 for many examples of memory decrease that is *not* caused by a virus. > Last (but not least): Running: > FDISK /MBR > (of DOS 5 or higher) might help solving this situation (beware of this if your > disk is not standard DOS). It might also completely screw up the disk of the poor user you are advising, if the virus does not preserve the MBR (e.g., Monkey). That's why, *before* trying the FDISK/MBR trick, one must *always* check that the hard disk is accessible (e.g., DIR C:). If it is not - DO NOT RUN FDISK/MBR! Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: YK2885 What does this virus do ? (PC) Frank van Tol (Frank.van.Tol@ctp.nl) writes: > After running scan v117 last night i found 25 files infected with > YK2885. I couldn't find this virus in the virlist.txt and wonder what > it is/does. McAfee's SCAN does a miserable job at identifying viruses. In particular, it reports as "2885 [YK2885]" the following different viruses: Yankee_Doodle.1905 Yankee_Doodle.TP-38 Yankee_Doodle.TP-39 Yankee_Doodle.TP-41 Yankee_Doodle.TP-42 Yankee_Doodle.TP-44.A Yankee_Doodle.TP-44.B Yankee_Doodle.TP-44.Login.2967 Yankee_Doodle.TP-44.Login.2968.A Yankee_Doodle.TP-44.Login.2968.B Yankee_Doodle.TP-44.Login.2974.A Yankee_Doodle.TP-44.Login.2974.B Yankee_Doodle.TP-45 Yankee_Doodle.TP-46 Those viruses are related, but they do different things, so it is not possible to tell you what "your" virus does, unless you provide a better identification. I suggest you to run a scanner that does this better than SCAN. F-Prot is an excellent example of such a scanner. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 16 Aug 94 17:15:58 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Rosenthal Virus Simulator (VIRSIM2C.ZIP) (PC) Doren Rosenthal (as194@cleveland.Freenet.Edu) writes: > Yes Alfred, that is an interesting point and many users > appreciate being able to more fully test drive their anti-virus > software for themselves. They indeed appreciate being able to do that. Unfortunately your product does not allow them to do that - it only fools them to believe that they have done that. > The advantages of "Try before you buy" > are well known to both commercial and sharware users. The problems I have with this is that, due to lack of technical expertise, very few users are able to understand how unsuitable your product is for testing scanners. > If you want > to see how your anti-virus product looks when it detects a virus, > Virus Simulator will certainly allow you to do just that, and > quite effectively. Wrong. The shareware version of the product only helps you to see how your anti-virus product looks when it causes a false positive. I wouldn't mind if *this* were how the product is marketted, insted of being advertised for testing anti-virus products. > simulations supplied by my product. Virus Simulator provides > several safe but far more dramatic bait alternatives. At least > some of the simulations should set off the anti-virus program you > are demonstrating. Yes, at least some of the non-viruses generated by the simulator are likely to cause a false positive of several scanners. This is not how one tests scanners, however. > For example, you can watch how the boot sector simulations get > executed when a floppy disk remains in the drive when your system > is turned on. The Virus Simulator Supplement "B" even allows the > system to load normally off your hard drive after it takes over > in memory. It beeps continuously (even in Windows) while it > displays "Rosenthal Engineering Test Virus in Memory" and gives > you approx. four minutes to exercise your anti-virus measures > before the message dominates the screen and on most systems locks > the keyboard. Just in case the above leaves somebody with the impression that *this* is how boot sector viruses look like - it isn't. > That should certainly reveal the virus-alert-screen you wish to > examine, don't you agree? No. The proper place to look for such information is the documentation of the anti-virus product. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 16 Aug 94 17:27:18 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Rosenthal Virus Simulator (VIRSIM2C.ZIP) (PC) Doren Rosenthal (as194@cleveland.Freenet.Edu) writes: > Yes, although you have explained your views on my Virus Simulator > even before you saw it, there are many who have examined it for > themselves and formed their own opinions. I am intelligent enough and have enough experience to figure out what your product does after I heard about it - even before seeing it. After I saw it, I saw that I was right in my assumptions, which didn't surprise me at all. > Some people will > disagree with you, as I do. Certainly, they are free to do so. I, from my side, will continue to explain why they - and you - are wrong. > I offer Virus Simulator as shareware with the ultimate "Try > before you buy" guarantee. If a user finds my Virus Simulator > useful, their encouraged to register it. The problem I have with this is that the average user does not have the knowledge and the technical expertise to figure out that your product is misleading. > > . such as viruses. I will *really* appreciate if you stop promoting > > your viruses here. It contradicts the charter of this forum. Go brag > > about them on your favorite virus exchange BBS. > > Your attempts to suppress opinions that are contrary to your own > continue to disappoint me. People should be able to hear all > sides of an issue and make up their own minds without one of the > participants being invited to take his ideas elsewhere. Vess, > although your postings dominate this forum, there are other > readers who might appreciate being able to share ideas and freely > examine other points of view legitimately different from yours. I have no problems of you expressing opinions that are contrary to my own - except that I will keep pointing out that they are wrong and why. I am not trying to suppress such opinions. I don't mind people hearing all sides of the issue and this is exactly why I am voicing my oppinion so loudly - to make myself heard by those who might be misleaded by your messages or by the documentation of the product. I also have no problems with the exchange of ideas and free examining of other points of view that are legitimately different from mine. The only thing I have a problem with is people advertising viruses here - because it contradicts the charter of this forum. The registered version of your product contains real viruses - therefore, don't advertise it here. I have no problems discussing the usability (or the lack thereof) of "simulated viruses" or discussing the etical concepts behind selling viruses to the customer. THE ONLY THING I HAVE A PROBLEM WITH IS PEOPLE ADVERTISING VIRUSES HERE! Please, either stop doing it here, or go doing it somewhere else, where such things will be appreciated. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 16 Aug 94 17:49:46 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Q/A about Norman Virus Control (PC) Norman Data Defense Systems A/S (norman@norman.no) writes: > Mr. Bontchev: I think I made it clear that the version I handed to you > at CeBit was a limited demo version. I am sorry, but it probably wasn't that clear, because the message from the program rather surprised me. And got me rather annoyed too. If it simply said "this scanner is too old, please contact the producer for an update", I wouldn't have suspected anything bad. But no, it said "This DEMO version has expired" - suggesting that what I had was not a "real" version. Since, as I said, we do not review crippleware, I did not bother any more with the product. > If you want a complete package > for comparative testing, we will be happy to express-mail you one. I'd word this in a slightly different way. If *you* want me to test the scanner part of your package, feel free to send it to me. You see, the way you worded it seems to imply that I *want* to test the product. I don't - I have more than enough work like that. However, I am ready to do you (and your users) a favor by testing the scanner on our huge virus collection - especially having in mind that your scanner is very easy to test, because it conforms to all our conditions for testability. > >A moderately useful product. Contains a scanner, resident scanner, > We don't have a resident scanner. We think behaviour blocking is the way > to go as far as resident routines are concerned. Point taken, sorry for the mistake. I got the impression that the device driver includes resident scanning capabilities - as it is in most other products I have seen. > >behaviour blocker, and boot sector restoring program. Does not contain > >an integrity checker, unless you classify the boot sector restoring > >program in this category. > We do have three routines included in the package, which will detect > self-infection and boot-sector infection by integrity checks. They're called > 'Canary'. Yes, I did mention the boot sector restoring program. Have forgotten the "decoy launching" - sorry again. Yes, they are indeed integrity-based protections. However, what I meant above is that your product does not contain an integrity checker - in the sense that most people understand it. You know, a program that computes a checksum of all the executables on the protected machine, stores them in a database, periodically repeats the computations and tests whether the new checksums are the same as the old ones. > > They claim to be able to detect 99%+ viruses. Has anyone been able to test > > this claim? > > > >Rubbish. Their detection rate is about 75%. Better than NAV 3.0 but > >worse than McAfee's SCAN. > I suspect the 99% figure comes from our latest NCSA certification test. We I see. Well, this speaks about the low quality of NCSA's virus collection that is used for their certification test. Indeed, this doesn't come as a surprise to me. I have had to weed out the junk from their collection several times - my CORRUPTD, DAMAGED, and INNOCENT directories are full with files, the name of this consists mostly of numbers, preceded by a '!' - which indicates that this is non-viral junk coming from NCSA's collections... > However, 75% is quite wrong. Please refer to the latest Virus Bulletin for > a more objective test. Whaddaya mean "quite wrong"?! I haven't sucked this number from my fingers. I have run your scanner on our virus collection and have recorded the results. If you bother to send me a working copy of it, I could easily produce a megabyte report file (16259 lines), so that you could check the results yourself. And how, pray tell, is Virus Bulletin's test more objective? I am not saying that it is bad, but it was run on a much smaller set of viruses. Both Virus Bulletin and I are documenting the names of the viruses used in the tests, so everybody can verify this. My tests were on a test set containing 16,259 samples of 4,235 different file viruses and 645 samples of 358 boot sector viruses. The test set used by Virus Bulletin contained only a few dozens of different viruses, most of which were represented only by a single sample (therefore, they were unable to detect such bugs as unreliable detections). > >Also, they used to claim to be TOAST - "The Only Anti-virus Software That > >detects Statan Bug". Too bad that they can't substantiate their claims. > How would you like us to prove it? At the time we made the claim, none of the > better known current scanners would detect Satan Bug. I can get you the exact > date and the name of the other products that we tested if that helps. No. The version of the scanner you gave me in March does not detect this virus in SYS files. Therefore, at least at that time your product was still not detecting the virus (reliably). However, at that time there were already products that detected the virus reliably. Therefore, your scanner was not, is not, and has never been "the only" product that detected this virus. The most you could say is that it has been the first to have attempted to detect the virus and to succeed to some extent. > I will have to give you that one. One of our earliest versions that had suppor > for Satan Bug, did miss some .SYS-files because of a bug. This has been > corrected long time ago, however. It still wasn't int he version you gave me in March. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 16 Aug 94 17:49:53 -0400 From: Eugen_Woiwod@mindlink.bc.ca (Eugen Woiwod) Subject: Re: Rosenthal Virus Simulator (VIRSIM2C.ZIP) (PC) as194@cleveland.Freenet.Edu (Doren Rosenthal) writes: > > Posted: 16 Aug 1994 10:47:35 -0000 > > Org. : Lehigh University > > ------------------------------------------- > August 14, 1994 > > (Vesselin Bontchev) writes: > > Subject: Re: Rosenthal Virus Simulator VIRSIM2C.ZIP (PC) > Date: Wed Aug 10 08:14:14 1994 > > >> Doren Rosenthal (as194@cleveland.Freenet.Edu) writes: > > >> Thank you for your very positive comment about my Virus Simulator > >> on Virus-L. > > >His "very positive comment" indicates only that you have succeeded to > >fool him to believe that your Virus Simulator is useful, which it > >isn't, as I have explained several times already. > > Yes, although you have explained your views on my Virus Simulator > even before you saw it, there are many who have examined it for > themselves and formed their own opinions. Some people will > disagree with you, as I do. > > >> Your useful application of my Virus Simulator for > >> training and demonstrations is exactly its intended purpose and I > >> appreciate your sharing that publicly. > > > I strongly suspect that the intent to fool the people that your > > program is of any use and therefore to buy it has been exactly your > > intended purpose. > > I offer Virus Simulator as shareware with the ultimate "Try > before you buy" guarantee. If a user finds my Virus Simulator > useful, their encouraged to register it. > > >> The current shareware version of Virus Simulator is VIRSIM2C.ZIP > >> and is available from most BBS's, ftp sites and ASP vendors. > >> Registered users now receive three additional supplements > >> described in the documentation. > > There is certainly no deception intended as they can obtain Virus > Simulator from most sources without charge, read the > documentation and form their own opinion as to how useful it is > for themselves. > > > . such as viruses. I will *really* appreciate if you stop promoting > > your viruses here. It contradicts the charter of this forum. Go brag > > about them on your favorite virus exchange BBS. > > Your attempts to suppress opinions that are contrary to your own > continue to disappoint me. People should be able to hear all > sides of an issue and make up their own minds without one of the > participants being invited to take his ideas elsewhere. Vess, > although your postings dominate this forum, there are other > readers who might appreciate being able to share ideas and freely > examine other points of view legitimately different from yours. > > Doren Rosenthal Member ASP & ASAD as194@cleveland.freenet.edu > > Rosenthal Engineering > P.O. Box 1650 > San Luis Obispo, CA USA 93406 > > ------------------------------------------------------ > Well has anyone tested this virus simulator with ThunderByte Anti-Virus? I bet it would pick up all the simulated viruses(i know for sure mcafee's scan wouldnt) Ttul ------------------------------ Date: Tue, 16 Aug 94 17:55:38 -0400 From: Eugen_Woiwod@mindlink.bc.ca (Eugen Woiwod) Subject: Re: ANSI bombs (PC) virusbtn@vax.oxford.ac.uk writes: > > Posted: 16 Aug 1994 10:48:08 -0000 > > Org. : Lehigh University > > as316@freenet.carleton.ca (Michael McGuire) writes: > > I was wondering if anyone knew of a virus scanner/cleaner that > > can clean something called an "ANSI bomb"? I was told that they > > can't be found by most scanners, and I think there's one going > > around my area... > > > > Thanks.. > > > > Hmmm.. because of their nature, that is almost impossible to do. However, > unless you actually need to load ANSI.SYS, remove it from your CONFIG.SYS > file, and they can no longer function. Alternatively, their are > replacement > versions of ANSI.SYS around which do not allow typed text files to remap > your > keyboard etc. Maybe this would also be of use? > > Regards, > > Richard Ford > Editor, Virus Bulletin. > Yes, replacement ansi drivers would be useful, there's lot out there that prevent keyboard remapping. Ttul ------------------------------ Date: Tue, 16 Aug 94 17:55:57 -0400 From: Eugen_Woiwod@mindlink.bc.ca (Eugen Woiwod) Subject: Re: whisper virus (PC) joe.milenky@ase.com (Joe Milenky) writes: > > Posted: 16 Aug 1994 10:47:45 -0000 > > Org. : Lehigh University > > anyone know which virus program can detect and clean the whisper virus > which adds 439 bytes to each file executed in the directory of the > executed program and eats up your hard drive space. > thanx > Tbav's TBSCAN would/should detect it, and TBCLEAN should be able to clean it. Here's where you can get the latest version via FTP. Taken from MIND LINK! on Tue Aug 16 13:39:46 1994 Tue Aug 16 08:27:59 1994 Letter : 2147417 From: Piet de Bondt Address : bondt@dutiws.TWI.TUDelft.NL Subject : TBAV v6.23 (Complete/Optimized/Windows) available by FTP Bytes : 1051 To: Eugen_Woiwod@mindlink.bc.ca (Eugen Woiwod) Member of the Thunderbyte Antivirus announcement list, I just received and made available for FTP, tbav v6.23, both the complete package, the optimized versions, and the windows version. Note that you need the tbav623.zip file too for the windows version (for the virus-data- base and such) Along with this release are the following files: tbav623.zip 9-aug-94 Thunderbyte Anti-Virus utilities v6.23 tbavw623.zip 16-aug-94 TBAV for Windows tbavx623.zip 10-aug-94 TBAV processor optimized versions v6.23 Only for registered users ! The files are *now* available on ftp.twi.tudelft.nl:/pub/msdos/virus/tbav and will be uploaded as soon as possible to oak.oakland.edu, garbo.uwasa.fi and nic.funet.fi Greetings, Piet de Bondt E-mail: bondt@dutiws.twi.tudelft.nl ============================================================================ == FTP-Admin for MSDOS Anti-virus software at anon-ftp-site: ftp.twi.tudelft.nl ------------------------------ Date: Tue, 16 Aug 94 18:01:49 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Norman Virus Control and Satan Bug (PC) Norman Data Defense Systems A/S (norman@norman.no) writes: > SThe Satan Bug virus does NOT infect device drivers. It will infect > renamed .EXE files, as it checks for the exe-header at the beginning > of the file. Infections that occur when a file is copied, happens > when the virus checks for the file extension (.EXE). One exception > exists: some .EXE-files are both executables and device drivers > (typically SETVER.EXE and SMARTDRV.EXE). We will detect infections > of such files as for any .EXE file. I'm sorry if I have misunderstood the above, but the way I am understanding it, it is wrong. I have a perfectly good device driver here, with an extension .SYS, infected by this virus. It is indeed a device driver of the EXE type - i.e., begins the an EXE header and so on - but also has a device driver header (FFFFFFF and so on), and is named SYS. The version of your scanner that I have, before it stopped working, did not found a virus in this file. Yet, the file *does* contain the Satan Bug virus, and several other scanners detect it there. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 16 Aug 94 18:05:44 -0400 From: Eugen_Woiwod@mindlink.bc.ca (Eugen Woiwod) Subject: Re: Rosenthal Virus Simulator VIRSIM2C.ZIP (PC) > > If *everyone* can, *everyone* will ... even mentally unstable people that > would spend their time deliberately infecting computers. Is that what > you > want ? No way! Bad enough the media in the US and Canada overrate viruses, and never mind crappy scanners like MSAV, Norton Anti-Virus and CPAV. > > Unfortunately, one can argue that the increased number of viruses in > circulation will lead to worse anti-virus products...I will be presenting > a paper on that subject at a conference later this year. How can it lead to worse anti-virus products? Maybe some authors get lazy because they can't keep up with the flood of new viruses? Seems the author of ThunderByte Anti-Virus is doing pretty damn good in that department at least. In various tests, TBSCAN has detected more viruses then Mcafee's SCAN and F-prot. > > >From the point of view of many non-Americans, it looks like you people > in the > US seem to concentrate too much on the "rights", and not enough on the > "responsibility"....while most virus-development in the UK is promptly > shut down by the police, no similar action has ever been taken in the US. > > Why ? Well im not a american, im a PROUD Canadian :) Unfortunately, it's the same here in Canada I believe. Viruse's do come out here in Canada, and virus development is not shut down by the police. Ttul ------------------------------ Date: Tue, 16 Aug 94 18:26:14 -0400 From: pkremer@epas.utoronto.ca (Philip Kremer) Subject: 666 virus (PC) I'm sure that I have a virus, since two of my jpegs were ruined, and since, while I was using WordPerfect, I got "666" on my screen. But McAfee's virus-scan software won't detect it. Can anyone suggest other virus-scan and virus-clean software? Thanks, ------------------------------ Date: Wed, 17 Aug 94 01:37:47 -0400 From: datadec@corsa.ucr.edu (Kevin Marcus) Subject: Re: Viruses & TSRs (PC) Mark J. Miller wrote: >1. What antivirus products are available for scanning in compressed > partitions? (dos) While I don't have everyone available to myself to test, I imagine that there is little to not too much difficulty in properly scanning drives, say, with Stacker or similar real time compression. It might piss off a few scanners that try to read/open files as fast as possible, esp. since they have that problem with some versions of DOS anyways. I know NAV 3.0 can scan inside .ZIP files, if that is what you're referring to, though I don't think you are. >2. How easy is it for a virus to defeat an antivirus product loaded as a tsr? > (dos) Well, it's been done in the past, and no matter how much anti-tunneling code a vendor might want to throw in their TSR, it is always gunna happen. (I think, IMHO, etc... :)) >3. Given the following scenario: >4. Is a product like fprot's virstop susceptible to the same weakness, when > it's loaded as a device driver without netware being loaded. I'm not knowledgeable enough about the innerds of virstop to give you an answer worth much, but I imagine it can't be too horribly difficult to disable a TSR. - -- --=> Kevin Marcus: datadec@ucrengr.ucr.edu, tck@bend.ucsd.edu "ciafn syoo,u yroeua da rteh icso?o l ." <- Email for solution. Computer Science Dept., University of California, Riverside. .oOo.oOo. T H I E V E S S U C K .oOo.oOo. ------------------------------ Date: Tue, 16 Aug 94 17:55:46 -0400 From: Eugen_Woiwod@mindlink.bc.ca (Eugen Woiwod) Subject: ThunderByte Anti-Virus v6.23 Released! Taken from MIND LINK! on Tue Aug 16 13:39:46 1994 Tue Aug 16 08:27:59 1994 Letter : 2147417 From: Piet de Bondt Address : bondt@dutiws.TWI.TUDelft.NL Subject : TBAV v6.23 (Complete/Optimized/Windows) available by FTP Bytes : 1051 To: Eugen_Woiwod@mindlink.bc.ca (Eugen Woiwod) Member of the Thunderbyte Antivirus announcement list, I just received and made available for FTP, tbav v6.23, both the complete package, the optimized versions, and the windows version. Note that you need the tbav623.zip file too for the windows version (for the virus-data- base and such) Along with this release are the following files: tbav623.zip 9-aug-94 Thunderbyte Anti-Virus utilities v6.23 tbavw623.zip 16-aug-94 TBAV for Windows tbavx623.zip 10-aug-94 TBAV processor optimized versions v6.23 Only for registered users ! The files are *now* available on ftp.twi.tudelft.nl:/pub/msdos/virus/tbav and will be uploaded as soon as possible to oak.oakland.edu, garbo.uwasa.fi and nic.funet.fi Greetings, Piet de Bondt E-mail: bondt@dutiws.twi.tudelft.nl ============================================================================ == FTP-Admin for MSDOS Anti-virus software at anon-ftp-site: ftp.twi.tudelft.nl ------------------------------ End of VIRUS-L Digest [Volume 7 Issue 70] *****************************************