VIRUS-L Digest Friday, 19 Aug 1994 Volume 7 : Issue 72 Today's Topics: Re: Netcom distributing viruses Re: Virus signatures Re: Increased Enrollment at Lehigh Data Fellows WWW server Re: Virus Definition Revisited... Re: Netcom distributing viruses Virus Info Wanted - History etc backform/FAQ Virus simulators Help re Virus historys, types, etc Mac Anti-Virus Tools (MAC) 386/486 virus protection(UNIX) Re: Fixing the boot sector of a floppy? (PC) Rosenthal Virus Simulator (VIRSIM2C.ZIP) (PC) A new virus? (PC) Re: Rosenthal Virus Simulator (VIRSIM2C.ZIP) (PC) Re: Rosenthal Virus Simulator (VIRSIM2C.ZIP) (PC) Re: Rosenthal virus simulator (PC) Re: Rosenthal Virus Simulator (PC) Boot disk & DrvSpace (PC) Re: Rosenthal Virus Simulator VIRSIM2C.ZIP (PC) Re: UNDETECTED th-th VIRUS!!! (PC) Re: Rosenthal Virus Simulator VIRSIM2C.ZIP (PC) Re: Lenart? or CPAV blof. (PC) Re: Help Win 32 Bit File Virus? (PC) Re: changing genP/genB virus (PC) Re: Rosenthal Virus Simulator VIRSIM2C.ZIP (PC) Re: WARNING: VALIDATE.COM and VALIDATE.EXE can be cheated. (PC) Re: HK Vtech virus & Amoeba (PC) Has anyone had the sigilit virus? (PC) Rosenthal Virus Simulator(VIRSIM2C.ZIP) (PC) HELP FKRUEGER (PC) Re: TranScan (PC) Re: McAfee Virus Scan (PC) New Stoned Virus? (PC) Re: Network virus protect (PC) Junkie virus and McAfee Scan 117 (PC) tbav623 - Thunderbyte anti-virus v6.23 (Complete/Optimized/Windows) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CORSA.UCR.EDU (IP number 138.23.166.133) or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CORSA.UCR.EDU. Administrative mail (e.g., comments, suggestions, beer recipes) should be sent to me at: krvw@ASSIST.MIL. All submissions should be sent to: VIRUS-L@Lehigh.edu. Ken van Wyk ---------------------------------------------------------------------- Date: Thu, 18 Aug 94 01:12:51 -0400 From: jmccarty@spd.dsccc.com (Mike McCarty) Subject: Re: Netcom distributing viruses Fridrik Skulason wrote: [stuff deleted] )Netcom's policy on making viruses available via FTP is: ) ) >Viruses and information relating to viruses are not, at this time, ) >controlled code. We allow users to make available via anonymous FTP any ) >and all data as long as it is legal, which viruses, viral source code, and ) >newletters published by virus groups are. It is not placed there by ) >Netcom, and it's distribution is not necessarily endorsed by Netcom. ) )So, the next time you get hit by a virus, remember to send Netcom a "thank-you" )note for assisting in distributing them. Their policy seems perfectly reasonable and legitimate to me. Mike - ---- char *p="char *p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);} ------------------------------ Date: Thu, 18 Aug 94 03:24:55 -0400 From: datadec@corsa.ucr.edu (Kevin Marcus) Subject: Re: Virus signatures Diego Montanez wrote: >Hello, > >I have to do a programming project and I inted to make a simple file-infecting >virus scanner. My question is: how does the commercial antivirus scanners I think you mean file-infector detecting virus scanner. >accomplish this task and, where could I get a library of virus signatures >to use with my program? I'm unaware of any "library" of virus signatures. I have seen some signatures from SCAN posted up a few times, and Virus-Bulletin publishes strings to detect viruses. You can also try your luck (if you have some samples!) with crud like VSUM. Most commercial scanners don't use the "infamous scan string" -- it's too slow, and it's not really applicable to todays environment of viruses; they are getting too advanced. If you don't have any viruses to work with, then you are kinda at a loss - and, besides, how would you test your project?! If you do, then you should be able to figure out how to identify a sample in a primative way -- why not just take a chunk of the virus that is unique to the virus and then you could simply open up files for read, read them in, and see if that chunk exists in the file. Of course, this will be absoutely horrid and slow, but for a simple project, it doesn't need to be fancy. - -- --=> Kevin Marcus: datadec@ucrengr.ucr.edu, tck@bend.ucsd.edu "ciafn syoo,u yroeua da rteh icso?o l ." <- Email for solution. Computer Science Dept., University of California, Riverside. .oOo.oOo. T H I E V E S S U C K .oOo.oOo. ------------------------------ Date: 18 Aug 94 09:31:56 +0100 From: virusbtn@vax.oxford.ac.uk Subject: Re: Increased Enrollment at Lehigh Iolo Davidson writes: > The "Organisation:" line on all comp.virus posts is set to Lehigh > University. On my newsreader this is reported at the top of messages > as: "From Iolo Davidson at Lehigh University". This may give a false > impression to new users of the group. > > [Moderator's note: This is due to the fact that all of the messages > are first posted to the VIRUS-L mailing list (which is distributed by > listserv@lehigh.edu); from there, the digests are exploded into > individual postings and then posted comp.virus. Thus, all of the > postings appear (to the news system) to originate at Lehigh. Yes, > there are ways around this, but they would involve sending all of the > relevant newsgroup headers (not just organization:) to the mailing > list, which I would prefer to not do. I'm open to hearing better > suggestions, though.] I kind of thought that as the whole virus thing leads back to Lehigh University anyway, it was rather fitting... after all, aren't most of us students there? 8*) [Please don't post reminding me that Brain etc came first. Poetic licence and all that...] Regards, Richard Ford Editor, Virus Bulletin ------------------------------ Date: Thu, 18 Aug 94 06:16:30 -0400 From: mikko.hypponen@wavu.elma.fi (Mikko Hypponen) Subject: Data Fellows WWW server Data Fellows is happy to announce that our World Wide Web server is now operational. Use your WWW browser to connect to URL http://www.datafellows.fi/. The server enables Internet users to browse through various information, including: - - PC-virus information: an on-line database of virus descriptions, virus-related news, HTML versions of F-PROT Professional Update Bulletins (all issues since 1992), and a hypertext version of the comp.virus/VIRUS-L Frequently Asked Questions - - information about Data Fellows Ltd's products: there are white papers and demonstrations available for instant downloading - - Data Fellows press releases - - Pointers to other, related sources of information around the internet - -- Mikko Hypponen // mikko.hypponen@datafellows.fi // Finland Data Fellows Ltd's F-PROT Professional Support: f-prot@datafellows.fi PGP public key available, check the keyservs ------------------------------ Date: Thu, 18 Aug 94 06:27:38 -0400 From: mjb@doc.ic.ac.uk (Matthew Jude Brown) Subject: Re: Virus Definition Revisited... bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) writes: >2) The Delwin.1759 virus that I had to analyse recently (it's in the >wild in Germany) modifies its activation date, based on the time of >infection. I'm glad I called this virus the same as you did when I analysed it last week! Yes, it's in the wild, but not too awkward to detect provided you clean-boot your system (it infects both EXEs and MBRs and is stealth, but it has a constant (apart from immediate data) decryptor ...) - -Matt - -- ____ Morven -- mjb@doc.ic.ac.uk -- m.brown@ic.ac.uk -- Matthew Jude Brown \ _/__ Sophos PLC, 21 The Quadrant, Abingdon, Oxon OX14 3YS - (0235) 559933 \X / 32 Goldsmiths Lane, Wallingford, Oxfordshire OX10 0DN (0491) 833990 \/ | We are the people our parents warned us about | ------------------------------ Date: Thu, 18 Aug 94 06:31:27 -0400 From: ygoland@hollywood.cinenet.net (Yaron Y. Goland) Subject: Re: Netcom distributing viruses That netcom allows it's users to distribute viral code and related information when clearly marked as such is required as a basic characteristic of freedom as defined in the United States of America. I realize that many people in this group come from countries where the emphases of society is placed upon the society and not the individual. Thus society feels perfectly within it's rights to restrict the rights of the individual at any time it feels a threat to itself. The USA does not operate like that, at least not yet. There is a price to be paid for freedom, it means we have to let white supremists march through predominately black towns, it means we have to let Holocaust deniers publish their views, it also means that we can encrypt our material freely and speak out against our government without fear of censure. Some of the people who clamor for laws preventing the distribution of viral code when clearly marked as viruses (i.e. this is different from infecting a program and then distributing the infected program without warning people what they are getting) come from countries where people can't say that the Holocaust never happened, however it is also illegal in their countries to encrypt their communications without giving the government the keys. Freedom is not easy, its price is that we have to hear and allow things to happen that we do not agree with but in this citizen's mind it is a small price to pay for the benefits it brings. Many of the people who read this group are considered by the public as experts on the subject of computer viruses and their views will be sought when legislation relating to virus and malicious software is written. I hope they will keep in mind the nature of freedom, its costs as well as its benefits. "Necessity is the plea for every infringement of human freedom. It is the argument of tyrants; it is the creed of slaves."-William Pitt, Prime Minister of England, B.1708, D.1778 Yaron Y. Goland - --- ygoland@seas.ucla.edu Senior, Computer Science & Engineering 73160.327@compuserve.com School of Engineering and Applied Science University of California, Los Angeles - -- ygoland@seas.ucla.edu Senior, Computer Science & Engineering 73160.327@compuserve.com School of Engineering and Applied Science University of California, Los Angeles ------------------------------ Date: Thu, 18 Aug 94 07:15:12 -0400 From: s9311955@op1.up.ac.za Subject: Virus Info Wanted - History etc I'm looking for information on viruses, specifically on their history, general info on how they infect and are transmitted. Any files, FAQ's or FTP sites would be appreciated. Please mail info to S9311955@op1.up.ac.za Thank's ------------------------------ Date: Thu, 18 Aug 94 13:42:45 -0400 From: rick@astro.ocis.temple.edu (R.Ellmaker) Subject: backform/FAQ Hello! I have two questions... (1) T downloaded f-prot 2.13 and scanned my system. I got a report that the command.com file was infected with BACKFORM (?) (...with the (?) ). The documentation for f-prot had very little to say about this. I replaced the command.com and things appear to be fine (...no infections reported from f-prot or msav ) Does anybody know anything about BACKFORM ? (2) Where can I get the FAQ for this group, and also the list of all know viruses (I believe it's called VSV, or something like that) [Moderator's note: Look for the FAQ on the primary archive, corsa.ucr.edu.] Thanks for any help you can offer, Rick ------------------------------ Date: Thu, 18 Aug 94 14:03:46 -0400 From: sand@biko.llc.org (David Adams) Subject: Virus simulators Hi All! I was wondering if any of you have an FTP site where we can get some virus simulators.. Thanks! - -- Acces Public LLC Site Internet Public Ville de Quebec Pour informations: (418) 692-4711 blitz@llc.org ------------------------------ Date: Fri, 19 Aug 94 04:39:19 -0400 From: s9311955@op1.up.ac.za Subject: Help re Virus historys, types, etc I'm looking for any info, FAQ's, files etc on the history, mechanisms of infection, and types of viruses for a varsity project. If possible could you include the source of the info. Any FTP sites, files, mail etc would be welcomed. Mail to s9311955@op1.up.ac.za. Thank you ------------------------------ Date: 18 Aug 94 09:34:34 +0100 From: virusbtn@vax.oxford.ac.uk Subject: Mac Anti-Virus Tools (MAC) I'm trying to update my (sparse) knowledge of the Mac virus scene - in particular, I would like to talk to vendors who have a Mac A/V product, in order to produce a list of suppliers. Can anyone who develops a Mac A/V product Email please. If I get a reasonable response, I'll post a summary. Regards, Richard Ford Editor, Virus Bulletin ------------------------------ Date: Thu, 18 Aug 94 08:17:30 -0400 From: jaf@jaflrn.Morse.Net (Jon Freivald) Subject: 386/486 virus protection(UNIX) In answer to this question (as well as the one about Sun UNIX), you might want to look into Tripwire from Purdue. It's a pretty awesome integrity management system that's been ported to most flavors of Unix. (I currently run it under Linux.) As for DOS Boot Sector viruses - any good DOS anti-virus that will run from a floppy ought to do you just fine. Then again, as long as you never put a DOS floppy in your drive, you don't have a concern from there either... - -- Jon Freivald ( jaf@jaflrn.Morse.Net ) PGP V2 - 22A829/40 DA 9E 8E C0 A1 59 B2 46 3B 73 81 2B 7B 83 1F Nothing is impossible for the man who doesn't have to do it. ------------------------------ Date: Wed, 17 Aug 94 23:21:13 -0400 From: jmccarty@spd.dsccc.com (Mike McCarty) Subject: Re: Fixing the boot sector of a floppy? (PC) Vesselin Bontchev wrote: )renrick tulloch (rtulloch@lynx.dac.neu.edu) writes: ) )> Alot of are floppies were infected by the Genb and Genp virus, )> which effects the boot sector. ) )Repeat after me: THERE IS NO SUCH THING AS *THE* GENB/GENP VIRUS. It )is a way of McAfee's SCAN to tell you "your boot sector/MBR seems to )be infected but I have no idea which particular virus it might be". What an obnoxious way to educate a user. Make him feel like an ignorant slob for asking a stupid question. Repeat after me: THERE ARE NO STUPID QUESTIONS, JUST UNASKED ONES. Of course, the information you present is correct, just the presentation suffers. [stuff deleted] )No, there is no exact equivalent. I wish that SYS had an option (e.g., )SYS/DBS) to put only a copy of the DOS Boot Sector on a floppy )(without the operating system files). Unfortunately, neither Microsoft )nor IBM nor Novell have listened to my suggestions. We agree again. It should not be hard to write a utility which would read the boot sector off any cleanly formatted disc, fix up the BPB part of it and write it to the disc to be "disinfected". Maybe I'll do it. But not now, I'm working 14 hours per day as it is. Anyone else want to pick up the gauntlet? It would be a good thing! Mike - ---- char *p="char *p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);} ------------------------------ Date: Wed, 17 Aug 94 23:37:42 -0400 From: as194@cleveland.Freenet.Edu (Doren Rosenthal) Subject: Rosenthal Virus Simulator (VIRSIM2C.ZIP) (PC) Vesselin Bontchev writes... and writes... and writes: > The problems I have with this is that, due to lack of technical > expertise, very few users are able to understand how unsuitable your > product is for testing scanners. You're the only one who said Virus Simulator was designed to replace real viruses for testing scanners Vess. It's purpose and limitations are spelled out quite clearly in the documentation file. Although you have posted your opinion on the value and function of Virus Simulator before you looked at it, there is still time to read the documentation. Virus Simulator serves the function I designed it to do and performs as described in the documentation. I can certainly appreciate your position that it is not a substitute for testing with a large collection of real viruses. I'll not bore everyone with a copy of the complete and rather lengthy documentation, as they can obtain a copy for themselves quite easily. Here's some of what it says...... Virus Simulator Virus Simulator creates a simulated test suite of .COM and .EXE programs as well as boot sector and memory resident viruses. These programs contain the signatures (only) from real viruses. The programs themselves are not really infected with anything, but contain carefully selected portions of code from their real virus counterparts. Whenever possible, these sections of code or virus signatures are selected to trigger vigilant virus detectors. Since these are really only dummy viruses, not all infected program simulations produced by Virus Simulator will trigger every virus detecting program. Real Viruses or Simulated Viruses for Testing These test virus simulations are not intended to replace the comprehensive collection of real virus samples as maintained by Rosenthal Engineering and other anti-virus product developers for testing. They are, however, suitable for use by general end users, system administrators and educators. These virus simulations set off virus detectors for testing and demonstration without the danger associated with their malicious virus counterparts. The simulators all produce safe and controlled dummy test virus samples that enable users to verify that they have installed and are using their virus detecting programs correctly, additionally affording an opportunity for a practice training exercise under safe and controlled conditions. Access to the Rosenthal Engineering Virus Collection The Virus Simulators and supplements are really intended to give users some hands on practical experience using their virus protection products, on their own systems, without using live ammo. The simulators ability to actually test products exhaustively is limited. That's why Rosenthal Engineering maintains a very comprehensive collection of real sample viruses for testing at our facility........... >> If you want >> to see how your anti-virus product looks when it detects a virus, >> Virus Simulator will certainly allow you to do just that, and >> quite effectively. > Wrong. The shareware version of the product only helps you to see how > your anti-virus product looks when it causes a false positive. I > wouldn't mind if *this* were how the product is marketted, instead of > being advertised for testing anti-virus products. Vess... If your not using my Virus Simulator for what it's designed to do, it's not going to do a very good job for you. >> simulations supplied by my product. Virus Simulator provides >> several safe but far more dramatic bait alternatives. At least >> some of the simulations should set off the anti-virus program you >> are demonstrating. > Yes, at least some of the non-viruses generated by the simulator are > likely to cause a false positive of several scanners. This is not how > one tests scanners, however. Vess, it's designed to set off scanners, activity monitors and integrity checkers etc. Many anti-virus product producers appreciate the ability to work with Virus Simulator and have made efforts to be compatible. You're right, this is not designed to replace real viruses to test scanners, please don't tell people it is. These samples make every effort to get caught and many anti-virus products make efforts to catch them. >> For example, you can watch how the boot sector simulations get >> executed when a floppy disk remains in the drive when your system >> is turned on. The Virus Simulator Supplement "B" even allows the >> system to load normally off your hard drive after it takes over >> in memory. It beeps continuously (even in Windows) while it >> displays "Rosenthal Engineering Test Virus in Memory" and gives >> you approx. four minutes to exercise your anti-virus measures >> before the message dominates the screen and on most systems locks >> the keyboard. > Just in case the above leaves somebody with the impression that *this* > is how boot sector viruses look like - it isn't. No Vess. These are simulations and just in case there's any doubt it yell's "Caution! Generating dummy test virus!" from the speaker in my voice. I call the program Virus Simulator. It flashes that message on the screen, it displays it in plain text in the files, memory and boot sector. And if you'd bother to read the documentation, I'm sure you would find it there as well. >> That should certainly reveal the virus-alert-screen you wish to >> examine, don't you agree? > No. The proper place to look for such information is the documentation > of the anti-virus product. Please Vess. Won't you at least look at the documentation file for *my* anti-virus product. Virus Simulator should only need to satisfy the claims I make for it... Not what someone who doesn't feel a need to look at the product or read the documentation before expressing his opinion thinks it's supposed to do. Doren Rosenthal.... ------------------------------ Date: Wed, 17 Aug 94 23:42:11 -0400 From: ehjones@whale.st.usm.edu (Eric Hilton Jones) Subject: A new virus? (PC) A friend of mine has a real problem. He has a virus that: 1. Is undetectable using McAfee (2.10, 1.17, 1.13), MSAV 6.22, F-prot(late july). 2. You cannot run (get "error in .EXE") them by name, unless you rename them (McAfee, MSAV). After running them, if you reboot you get "CHECKSUM ERROR IN CMOS", and you have to re-enter all of the values. The renamed files all have the same three bits (hex 81 70 0C). 3. It copies executable files like pkzip.exe, q.exe, [...] into system files (invisible) and makes a new file the same size, time, and date but with new code. This has only been done to semi-small executable files. 4. CHKDSK, NDD, CHECKIT, PCPROBE indicate no problems. 5. If you boot from a floppy, you cannot access drive c:. He thinks that it is probably a variation of the mutation engine, but that's just a guess. He spent some time talking with the tech boys at McAfee, and they've never heard of it. VSHIELD was not running at the time of the infection, but afterwards did not detect anything. Any help would be appreciated. Email to me, or to: rpwebb@whale.st.usm.edu thanks alot! eric jones ehjones@whale.st.usm.edu - ------------------------------------- "It was suffering and impotence - that created all afterworlds; and that brief madness of happiness that only the greatest sufferer experiences. Weariness, which wants to reach the ultimate with a single leap, with a death-leap, a poor ignorant weariness, which no longer wants even to want: that created all gods and afterworlds." -Nietzsche, Thus Spoke Zarathustra ------------------------------ Date: Thu, 18 Aug 94 00:10:42 -0400 From: jmccarty@spd.dsccc.com (Mike McCarty) Subject: Re: Rosenthal Virus Simulator (VIRSIM2C.ZIP) (PC) I deleted the stuff from two messages back. Doren Rosenthal wrote: ) ------------------------------------------- )August 14, 1994 ) )(Vesselin Bontchev) writes: ) )Subject: Re: Rosenthal Virus Simulator VIRSIM2C.ZIP (PC) )Date: Wed Aug 10 08:14:14 1994 ) )>> Doren Rosenthal (as194@cleveland.Freenet.Edu) writes: ) )>His "very positive comment" indicates only that you have succeeded to )>fool him to believe that your Virus Simulator is useful, which it )>isn't, as I have explained several times already. ) )Yes, although you have explained your views on my Virus Simulator )even before you saw it, there are many who have examined it for )themselves and formed their own opinions. Some people will )disagree with you, as I do. Once again, Rosenthal shows restraint. )> I strongly suspect that the intent to fool the people that your )> program is of any use and therefore to buy it has been exactly your )> intended purpose. At least you said "strongly suspect" with the "fool". This shows remarkable restraint for you. I hope this trend continues until you are actually able to post a resonably cultured message. [stuff deleted] )> . such as viruses. I will *really* appreciate if you stop promoting )> your viruses here. It contradicts the charter of this forum. Go brag )> about them on your favorite virus exchange BBS. ) )Your attempts to suppress opinions that are contrary to your own )continue to disappoint me. People should be able to hear all )sides of an issue and make up their own minds without one of the )participants being invited to take his ideas elsewhere. Vess, )although your postings dominate this forum, there are other )readers who might appreciate being able to share ideas and freely )examine other points of view legitimately different from yours. Here, here! Bravo! Well said! Furthermore, I believe that the charter (if it indeed forbids offering virus material, I haven't seen the charter) should be changed. If the purpose here is to educate ourselves about viruses for the purpose of eradicating these pestiferous things, then let's do so. Let's face it. Those who want to get copies of viruses -can- get them. I got one WHEN I DIDN'T EVEN WANT ONE. In fact, this whole newsgroup wouldn't exist IF IT WEREN'T EASY TO GET A VIRUS WITHOUT TRYING, IN FACT WHILE TRYING NOT TO! Get a grip, Vesselin. Rosenthal is not bragging about his dangerous viruses and how many thousands of machines he has infected. I don't use any BBS's. I imagine, however, that those which cater to the virus producers are replete with bragging along these lines. This is a very pejorative and unworthy personal attack, completely without foundation. What -evidence- do you have that Rosenthal uses such BBS's? I call on the Moderator to gag Vesselin for making personal attacks which are libellous and off-topic. Mike - ---- char *p="char *p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);} ------------------------------ Date: Thu, 18 Aug 94 00:18:11 -0400 From: jmccarty@spd.dsccc.com (Mike McCarty) Subject: Re: Rosenthal Virus Simulator (VIRSIM2C.ZIP) (PC) Vesselin Bontchev wrote: )Doren Rosenthal (as194@cleveland.Freenet.Edu) writes: [stuff deleted] )THE ONLY THING I HAVE A PROBLEM WITH IS PEOPLE ADVERTISING VIRUSES )HERE! Please, either stop doing it here, or go doing it somewhere )else, where such things will be appreciated. This is demonstrably untrue. Previous posts of yours have indicated that you have several disagreements with Doren Rosenthal. You have called him a liar, used words to the effect that he intends to fool other people, and otherwise maligned his intentions and motives. This (and your previous post on this thread) showed remarkable restraint for you Vesselin (which is why I did not post in response to them). I commend you for showing a more mature attitude in these latest posts. But this last paragraph of yours cannot be allowed to go unchallenged. If you want, I can pull up previous posts of yours to prove what I said above. Incidentally, where is a copy of the charter, and where does it say that mentioning that a virus is available in such and such a place is against it? If that were really true, then no one could warn "Look out! File xyz.zip over on ftp.site.global has the PDQ virus in it!" because that would violate the charter. Mike - ---- char *p="char *p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);} ------------------------------ Date: Thu, 18 Aug 94 00:32:36 -0400 From: jmccarty@spd.dsccc.com (PB1-2603) Subject: Re: Rosenthal virus simulator (PC) Vassil Ivanov wrote: ) )Vesselin Bontchev (bontchev@fbihh.informatik.uni-hamburg.de) writes: ) )>Doren Rosenthal (as194@cleveland.Freenet.Edu) writes: ) )[stuff deleted] ) )>> The Virus Simulator MtE supplement virus therefore )>> has both the permission of the user, and the consent of the )>> copyright holder (me) of the host files it modifies. )> )>The Virus Simulator MtE supplement virus therefore provides a )>convenient means to any malicious person to get his very own highly )>polymorphic virus, without having to spend the time to write one. As )>such, your product is *harmful* and you are a shame of the Association )>of Shareware Professionals that you claim to be a member of. Vesselin, if it weren't so easy to get a virus infection then this newgroup wouldn't even exist. )yeah, and besides that, MtE is copyrighted material, as it is clearly )indicated in its docs. its not shareware, freeware, copyware, vxware, )use-me-to-make-money-ware, or any of that sort. and i dont think that )Doren Rosenthal got any kind of permission from the author(s) to use )MtE for profit, or for anything at all. an asp member selling stolen )software. what a shame indeed. cant you people make anything ORIGINAL? This is the first criticism of Doren Rosenthal I have heard which made any sense at all. All the others seemed to be incoherent emotional outbursts to the effect that Doren must be morally deficient for selling an infective program. I have no copy of MtE, nor any copy of its docs. Does such exist? Under what terms may it be used? Do you have that information, Vassil? How about it, Doren? Did you get permission? Did you need it? Mike - ---- char *p="char *p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);} ------------------------------ Date: Thu, 18 Aug 94 00:48:12 -0400 From: jmccarty@spd.dsccc.com (Mike McCarty) Subject: Re: Rosenthal Virus Simulator (PC) Iolo Davidson wrote: ) datadec@corsa.ucr.edu "Kevin Marcus" writes: ) )Re: Rosenthal's virus simulation stuff [much clipped] ) )> How would you suggest he change it )> so that we could all get along? ) )If it is a virus, then he should not distribute it. If it is not a )virus, he should not pretend that it is suitable for testing anti-virus )software. This is the issue. It is intractable. Well stated. You have found a position and dug in your heels. You will not be budged. Your mind is made up, and you do not want to be confused by facts. Your mental state is "intractable". Others see things differently. But Iolo has made up his mind, and all must know that Doren Rosenthal has done something bad. The -fact- is that viruses are -dangerous-. Whether Doren has succeded in taming one so that it is -controllable- (I do not say benign, nor do I say "good") I do not know. The -fact- is that some people find, after consideration, that his product is useful. If not, then surely he would stop wasting his time trying to sell it. The -fact- is that there is ABSOLUTELY NOTHING WRONG with providing information on where some virus exists. I have seen many postings here alluding to the presence of some virus or other at various locations. I believe that a "simulated" virus could indeed be useful for testing certain kinds of virus protection software. Not all virus protection is provided by "scanner" type software. E.G. I use FLUSHOT+. A "simulated" virus which read the boot block off a floppy and attempted to write the very same data back to the floppy would be a useful program for testing the efficacy of such an "activity detector" type of software. Or to do something similar to an .exe file. Furthermore, as we say in the US, being forewarned is being forearmed. In other words, being prepared is a very useful thing. If Doren has indeed produced a -controllable- virus, then experimentation with it could definitely have beneficial effects. That's the reason for fire drills, not to have "pretend" fires, but to have skills in place for when a real emergency arises. Mike - ---- char *p="char *p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);} ------------------------------ Date: Thu, 18 Aug 94 01:19:16 -0400 From: atlwin!mike.murphy@nntp.crl.com Subject: Boot disk & DrvSpace (PC) TO: bontchev@fbihh.informatik.uni-hamburg.de From:mike.murphy@atlwin.com Vesselin, I can see by the multitude of great responses that you are the one that I should be asking about setting up a proper scan technique. I am attempting to check my hard-drive using F-Prot v2.13 from a boot disk. I am using MS-DOS v6.22 which is compressed with drivespace (replacing Dblspace). I can't seem to get F-Prot to scan the compressed disk. Here is what I have on my write protected boot disk: autoexec.bat; config.sys; command.com; emm386.exe; himem.sys; drvspace.bin; ALL mouse files; ALL F-Prot 2.13 files. AUTOEXEC.BAT: prompt $p$g set comspec=A:\command.com path=a:\ a: f-prot CONFIG.SYS: buffers=30,0 dos=high dos=umb lastdrive=I device=a:\himem.sys device=a:\emm386.exe noems device=a:\virstop.exe device=a:\drvspace.bin <----get msg will not load devicehigh=a:\mouse.sys So, that is what I have on my boot disk. F-Prot starts up fine with out a problem, but when I ask to scan Hard Drive, it takes about 2 seconds for over 370mb...that seems strange...it normally takes me about 45 seconds or so if I am using the hard disk scanner. Please help...I have tried everything I know how...including adding the drvspace.bin to config.sys. Vielen Danke...Tschuss...Murfster (ya, ich weise...auf Deutch... ich war geboren im Nurenberg...aber keine Deutch gesprechen... meine Oma sind sehr (uh, oh...MAD) wen ich kann nicht Deutch gesprechen). Don't know how to write it either...my sister still lives there bei Parsburg...sud vom Nurenberg... - --- CMPQwk #1.4. UNREGISTERED EVALUATION COPY - ---- +---------------------------------------------------------------------+ | The Atlanta Windows BBS (404)516-0048 9 high-speed USR nodes | | Largest Win-specific BBS in the SouthEast- CDROMs, RIME, INTERNET | +---------------------------------------------------------------------+ ------------------------------ Date: Thu, 18 Aug 94 02:51:22 -0400 From: jmccarty@spd.dsccc.com (Mike McCarty) Subject: Re: Rosenthal Virus Simulator VIRSIM2C.ZIP (PC) Stanley E Ridenour wrote: )jmccarty@spd.dsccc.com (Mike McCarty) writes: ) )|> What's wrong with selling viruses? So long as the person buying knows )|> what he is getting (no fraud) I see no problem. ) )What is wrong with selling nuclear weapons to Iran, Iraq, or the IRA? )Just as long as they are good, reliable, nukes there shouln't be any )objections. I have no objection to publishing information on how nuclear weapons work. That is not the same thing as selling them to just anyone, especially those who have already demonstrated that they are willing to misuse them. It should probably be a crime to obtain or write a virus with intent to use it in the commission of a crime, such as destruction of computer data or replication without the permission and prior consent of the owner of the data and hardware. I have copies of a few viruses. Not many, but a few. Not too long ago, I received a request to "trade" with a young fellow at a university. His sig was a skull with daggers and arrows through it. I declined, explaining that I was unsure of his motives. But note that he already had more viruses than I do! Were it not for his unusual .sig, I would have sent him copies, no problem. )|> Any kid who knows DEBUG can also get a copy of Michaelangelo or any )|> other virus just by looking around a little. If it were difficult to get )|> copies of viruses, then nobody would need protection or scanners, )|> because it would be difficult to get infected. Get the drift? ) )Isn't that the way things ought to be? I don't understand. Are you saying it ought to be such that it is easy to get infected? Or are you saying that it ought to be difficult to get infected? The point I am making is - it is easy to get infected. The existence of this newsgroup proves that point. And no amount of effort will make it difficult to get infected. Anyway, you don't seem to be addressing what I said. Any kid who knows DEBUG can also get a copy of a virus and hack it up. )|> Until everyone knows how to write a virus, there will be those attracted )|> to the mystique of it. I say publish source for viruses everywhere and )|> make sure everyone can easily get a copy. ) )The logic of this escapes me. Until every nation knows how to build and )maintain nuclear weapons, and can aquire them cheaply, somebody's curiosity )is going to get us into difficulty? Maybe we should teach courses in )hacking in the schools. Let's publish widely the various security holes )in the mainframe operating systems so that people who are *intrigued* by )these things won't have to work to get the information. I just can't )express how much safer these measures would make me feel :). You and I obviously have very different ideas here. We think differently. I am not sure that either of us can produce an argument which will sound convincing to the other. I don't even understand why the arguments you seem to be promoting appeal to you. I think that it is foolish to think that by not selling nuclear weapons to other countries, and by keeping "secret" the means to build them, that the possession of nuclear weapons can be contained. I believe it is inevitable that all countries will have nuclear weapons. Yes, I would definitely teach courses in "hacking". I would also publish security holes. Especially this latter. Then the holes can be closed. A few years ago, we began migrating our software development from VAXEN to (sort of) UNIX based Apollos. Naturally, I came across the password file, and began looking into what it comprised. In about two hours, I wrote a program to "crack" passwords. I ran it for about 10 minutes, and found a few (4 or 5, I forget). Later, I pulled some more agressive software off the net, and ran it for about an hour. I found about 20. When I reported this to the local administrators, they warned me that attempting to crack passwords would get me in trouble, fired in fact, and to remove the stuff. When I mentioned that the purpose of such stuff is to find insecure passwords, that the secure ones can't be found; when I told them that they should run such crackers themselves once a month and request that insecure passwords be changed, I was told that only by hiding such insecurity could the system be kept secure. Now, if I could crack the password file, never having seen one before, in two hours, WHAT KIND OF SECURITY IS THAT? This NEEDS TO BE PUBLISHED HERE AT THIS COMPANY (and elsewhere) SO USERS CAN DEFEND AGAINST IT BY CHOOSING SECURE PASSWORDS. So, yes, I want to publish security holes. )|> You sound like some people who, from time to time, decry )|> alt.locksmithing because "someone might find out how to pick a lock". ) )If everyone is taught locksmithing, of what value is any lock in defending )your possessions or your life? Locks will only keep honest people out. Locks are useless for defending possessions or life. I lent one of my cars to a friend. I never locked it. While he had it, he did. One night a thief came and pulled the lock out of the door. Then he used a crowbar to rip the dashboard apart to get the radio. About two years later, I lent a car to a friend. He locked it up. So the thief broke in the back windshield. A fellow who lived near my father-in-law put a guard dog, steel fence with barbed wire on top, gratings around all windows, solid wood doors, and dead-bolt locks on his house. He went on vacation, with someone to come by and check on the dog and house each day. Well, one day the guy was moved out lock, stock and barrel. They threw a poisoned steak to kill the dog, cut the fence, drove a large truck up to the back door (tracks on the lawn) chopped through the door with an axe, and moved the guy out. No furniture, no clothing, no nothing. I have seen the house myself, and the man was definitely a personal friend of my father-in-law. This is not some urban legend. Locks only slow down someone who is not really intent on breaking in. Studying locksmithing can help one choose a lock which is more likely to slow down an intruder. No lock can stop an intruder. )|> So what? You can't suppress knowledge. ) )No, but you can make it difficult to aquire, and especially for novices )and casual users. No, viruses cannot be made difficult to acquire. Nor can any other type of knowledge. And I find the idea of -government- suppressing knowledge to be a much more chilling thought than having a virus infection. )|> Anyone who really wants to get a copy of a virus can get one. ) )|> I got one when I didn't even want it. Cost me )|> many hours of disinfecting. ) )If we proceed the way you want, you'll get to do a lot more of this. No. I'll not have to, because I'll have a good idea of what actions to take to prevent it. By keeping myself educated on what kinds of things viruses do, how they spread, and how to detect their actions and existence. )|> What we need is good antiviral products. We do not need thought police. ) )That's a defensive posture, like saying that what we all need to do is )learn karate and carry guns and everything will be OK. How do I know )that some genius isn't going to break through my anti-viral defenses )tomorrow? Why should the expense of maintaining AV defenses be mine? )This is a hidden tax on all of society. There is no guarantee that your anti-viral defenses will not be broken. And, as a matter of fact, I believe in carrying guns (but not that that will make it so that "everything will be ok"). You seem to be griping that people deliberately hurt other people. Like thieves. You are right, it is a tax (but not hidden!). And it is wrong. And I don't like it. So here we seem to agree. )|> We believe in liberty. We believe in freedom of thought. We believe that )|> individuals have intelligence. We believe that people should be free to )|> learn and use everything there is to know in the universe. We believe )|> individuals should be responsible for their _own_ behavior (and no one )|> elses!). ) )I believe in liberty, as well, but NOT in the liberty to vandalize the )property or data of my fellow human beings. I believe in freedom of thought, )also, however all thoughts are not created equal. It's when those thoughts )are put into action certain lines must be drawn. Learning everything there )is to know is OK as long as your motives are not detrimental to your fellow )man. Individuals ARE responsible for their own behavior but a society's )job is to protect it's members from the rapacious behaviors of the sociopaths )within that society. Liberty and freedom are not synonymous. You use the word liberty as though it meant freedom. No one has liberty to vandalize. I agree that not all actions are permissible, nor should be. Now for your final thought here. I do not believe there is any such thing as "society". Each person is responsible for his own actions; each person is responsible for his own protection. We banded together for mutual defense, and formed governments. These governments must be restrained from acting against persons who have not harmed another. This is imperative. I agree that there are rapacious persons who must be restrained. This is proper for governments to do. AFTER they have committed harmful acts. )|> I don't think I like your ideas very much, sir. You remind me of the )|> bureaucratic nonsense over here attempting to suppress pure mathematical )|> research because someone might, just might, use it to create a cypher )|> which the NSA couldn't break. ) )I don't think that *research* is being suppressed so much as selling the )results of that research to the likes of Saddam Hussein. Then, with all due respect, you are ignorant. Fundamental mathematical research is definitely being suppressed, and professors are being threatened by the NSA. Try listening in on the cryptology newsgroups for a while, and you will see professors posting on the threats which have been made to them. This strikes rather close to home with me, since both my undergraduate and graduate studies are in pure mathematics. )|> DISTRIBUTE INFORMATION FREELY AND POSITIVELY. HOLD PEOPLE ACCOUNTABLE )|> FOR THEIR OWN ACTIONS. ) )Distribution of information about how to defend against viruses is not )a problem. However, we don't have to hand a mugger the gun with which )he will blow our head off! I don't believe in gun control laws, either. I believe in laws prohibiting the misuse of guns. )|> I HATE being attacked by viruses. Let's stop them! But please QUIT )|> TRYING TO SUPPRESS INFORMATION! LET'S SUPPRESS THE PEOPLE WHO )|> DELIBERATELY CREATE AND RELEASE VIRUSES WITH MALICIOUS INTENT! ) )How are you going to do this without abridging some or all of those )*freedoms* you have been talking about? You can control the creation )and spread of viruses in only so many ways: ) 1. Deny people the hardware to make them. ) 2. Deny people the software to make them. ) 3. Deny people the access to means to spread them. ) 4. Deny people the knowledge to write them. )Now which of your freedoms are you willing to lose? Once you leave the )door open, you are playing a defensive game of catch-up with the virus )writers, with them being one step ahead most of the time. This means )that there will always be a group of people losing data, time, and money )to viral attacks. The wider you spread the knowledge of writing viruses, )the odds against bumping into a sociopath with the desire to aquire the )skill-set of Frisk or Vesselin go WAY DOWN. Remember, these people are )not stupid; all they need is a little training and they might be able to )write something really nasty. I don't want to deny people any of the things you list there. I happen to believe that there is nothing wrong with writing viruses. I might just do it myself, one day. I believe that there -is- something wrong with writing viruses for the purpose of causing damage to other persons. All viruses are -dangerous- for they must, by their nature, overwrite something already on the disc. Mishandling of a virus -is- a bad thing. But just writing a virus is no worse than kindling a fire. If one is not attempting to commit arson, or being negligent and careless, starting a fire is not a bad thing. Incidentally, just a couple of days ago the writer of SMEG and a few other viruses was captured in England. And I didn't have to give up any of the liberties you mentioned above for that to happen. )|> What you say sounds like Nazi Germany and Communist Russia to me. There )|> are a few intelligentsia who know how to run the lives of everyone )|> else. They are allowed to collect viruses and thwart them for the rest )|> of us. Oh, by the way, the ones who support this idea always seem to be )|> a part of the intelligentsia, not one of the plebes. BAH! ) )Sounds like a case of sour grapes to me. I don't understand your statement. I am annoyed by the arrogance of Vesselin. I don't care that he has copies of viruses that I don't have. Nor do I want to join the crusaders against viruses and make it my work. I find working on software for telephone switches to be more useful and satisfying. )|> Only knowlege and experience can make a person safe from viruses. When )|> we all know how they work then: )|> )|> there will be much less incentive to write them )|> we will be able to protect ourselves from the ones being written ) )Only the people who write AV software or do AV research have a NEED to know )viral code. Whether you or anyone else outside of that community knows a )thing about viral code, does not make me any safer from viral attack. In )fact, it only can get WORSE. The sheer amount of viral code that has been )written merely proves this. I couldn't disagree with you more. First, NEED to know shouldn't even enter in to the equation. But even assuming that it does, what you just said is completely false. The more everyone knows about what a virus is, how it operates, and how best to combat an infection, the less damage a virus infection will do. I have a friend whose sister got Michaelangelo. She panicked, and did some things which cost her a great deal. Had she been more informed, she would have been calmer, and had a better idea of what to do. Furthermore, the more people know about viruses and their attacks, the less likely they are not to recognize an infection. This will definitely decrease the infection rate. And when writing a virus is not a special thing, then those who think that by kludging up something (the three viruses I have disassembled were, speaking as a professionally employed program craftsman, very shoddy workmanship) they make themselves someone special - these people, I say, will have to move on to something else. Because writing a virus will not -be- something special. - ----------------------------------------------------------------------- I hope I have been polite in my response to you; I certainly have tried to be. I believe you are sincere; I believe you truly believe the things you wrote. I believe you are wrong. I am not moved by your arguments. I suspect you will not be moved by mine. If so, then perhaps we should agree to disagree, with mutual respect. Although I believe you are wrong, I do not believe you have bad intent. But I do believe your ideas are dangerous. (Probably you think the same thing of mine! :) I hope that in any case, we can agree not to argue or call motives into question. Vesselin does this frequently, and that is a major annoyance to me. Mike - ---- char *p="char *p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);} ------------------------------ Date: Wed, 17 Aug 94 14:47:07 +0000 From: Tony Varesic Subject: Re: UNDETECTED th-th VIRUS!!! (PC) T. Nguyen, nguyen@panix.com writes: > is there any1 getting hit by th-th virus yet??? i've tried these >program to detect that virus... but no luck... > central point anti-virus v2.2 > Notorn Anti-virus v3.0 > Scan v117 and clean from McAfee >none of these program detect th-th virus > any suggestion other program to detect th-th virus!!! I have found an anti-virus package which claims to detect the signiature for 'Th-Th' virus: Anti-Virus included in Central Point PC TOOLS for Windows 2.0. I am currently running both the DOS and WINDOWS anti-virus TSRs and they seem to work (the DOS TSR protected me from the Stoned virus many times!). The reason I know about the 'Th-Th' is that I am having trouble running a program called VGA COPY PRO 5.0a written by Thomas Moenkemeyer which I found on SimTel, various other versions on other FTP sites and the source FTP site in Germany. The TSR prevents this program (versions 4.5 to 6.0) from executing because it believes that it is infected by the 'Th-Th' virus. When I run Anti-Virus, no virus is found. (Of course I could do the obvious...disable the TSR and run VGA COPY PRO but that is not the point!) It is possible that the author has written code which looks like a virus signiature but is really harmless, intentionally written code. I hope this helps. - -Tony P.S. Has anyone heard of or used this program? If so, have they run across the scenario? ------------------------------ Date: Thu, 18 Aug 94 03:06:37 -0400 From: jmccarty@spd.dsccc.com (Mike McCarty) Subject: Re: Rosenthal Virus Simulator VIRSIM2C.ZIP (PC) Fridrik Skulason wrote: )jmccarty@spd.dsccc.com (Mike McCarty) writes: ) )>What's wrong with selling viruses? So long as the person buying knows )>what he is getting (no fraud) I see no problem. ) )Well, there is one problem with selling viruses - paying for them encourages )development or distribution of more viruses...which leads you to the question )whether there is anything wrong with developing and distributing viruses. ) )Opinions on that seem to differ, as Virus-L/comp.virus readers have noticed :-) Smiley definitely appreciated here! )>Any kid who knows DEBUG can also get a copy of Michaelangelo or any )>other virus just by looking around a little. If it were difficult to get )>copies of viruses, then nobody would need protection or scanners, )>because it would be difficult to get infected. ) )And do you have a problem with that situation ? No. I was pointing out a -fact- to someone who thought that by suppressing information about viruses we could somehow magically make it so they no longer existed. )>Until everyone knows how to write a virus, there will be those attracted )>to the mystique of it. I say publish source for viruses everywhere and )>make sure everyone can easily get a copy. ) )If *everyone* can, *everyone* will ... even mentally unstable people that )would spend their time deliberately infecting computers. Is that what you )want ? I think that neither of us is going to be able to present the other with a convincing argument on this point. If -everyone- can then -no one- will. Is that what you want? I hope so. That's the way I see it. You see it differently. )>What we need is good antiviral products. ) )Unfortunately, one can argue that the increased number of viruses in )circulation will lead to worse anti-virus products...I will be presenting )a paper on that subject at a conference later this year. I would be interested in finding out about it. )>We believe in liberty. We believe in freedom of thought. We believe that )>individuals have intelligence. We believe that people should be free to )>learn and use everything there is to know in the universe. We believe )>individuals should be responsible for their _own_ behavior (and no one )>elses!). ) )>From the point of view of many non-Americans, it looks like you people in the )US seem to concentrate too much on the "rights", and not enough on the )"responsibility"....while most virus-development in the UK is promptly )shut down by the police, no similar action has ever been taken in the US. ) )Why ? ) )- -frisk Um, that's not true. The famous Internet Virus resulted in a Felony conviction. Have you forgotten? Incidentally, over here Felons permanently lose franchise (never allowed to vote again) are not allowed to purchase or obtain firearms, cannot obtain security clearances, and often have difficulty obtaining professional (as opposed to labor or hourly) positions of employment. I am just as interested in responsibility as anyone, I think. Producing a virus is a -dangerous- act. Doing so and either deliberately or negligently allowing it to cause another person damage is a serious crime, and should be. Just because something is dangerous does not mean that I think people should be considered criminals for either producing or possessing it. MISUSE is the key. Along with intent, especially. I believe obtaining or creating a virus with malicious intent should be a crime. I do not believe that obtaining or creating a virus with no malicious intent should be a crime. I possess some live viruses. They are on discs which are prominently marked as infected. I recognize that this is a -dangerous- act, and so I behave responsibly. I keep these discs in a special location. Driving an automobile is -also- a dangerous act. That does not prevent me from doing so, nor does it make me want to outlaw automobiles. Mike - ---- char *p="char *p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);} ------------------------------ Date: Thu, 18 Aug 94 03:15:05 -0400 From: jmccarty@spd.dsccc.com (Mike McCarty) Subject: Re: Lenart? or CPAV blof. (PC) Amir Netiv wrote: ) vkelson@bronze.ucs.indiana.edu (victor allan kelson) writes: ) ) > I have recentyl found the Lenart virus on several machine which I ) > commonly use. )Bad luck ;-) ) ) > It was found and removed by Central Point PC Tools for Windows ).. )Oah really? (read next quote)... ) ) > We have found that post-cleaning, floppies are unreadable. It ) > apparently attaches to the boot sector. )CPAV (of all versions, windows or not) is known to do that, it alarms on )perfectly clean and good BootSectors as infected by all kinds of things, and )rermarkably enough even "cleans" them (ThTh virus (?)) in most cases the trick )works (a useless bye or some are modified in the BS) and the virus is )presumably "cleand", in other cases like your own...it fails! You know the )rest... ) )The funy thing is that most users believe that they really had a virus that " )no other Anti Virus found" so this must be a great program. ) )I'm afraid... Hmmm...no actually I'm happy, to tell you that you probably had )nothing there, but now you do! ) )Warm regards ) )* Amir Netiv. V-CARE Anti-Virus, head team * ) )- --- ) * Origin: <<< NSE Software >>> Israel (9:9721/120) ) Very unhelpful post. How about giving the poor guy hope for actually cleaning his discs? I don't know whether CPTools actually munges discs as you said, but even if it did, the discs can -still- be revived. A "generic" boot block can be written to them, or one copied from a freshly formatted and uninfected disc. Contact me by netmail: jmccarty@dsccc.com and I will try to help you out. Mike - ---- char *p="char *p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);} ------------------------------ Date: Thu, 18 Aug 94 03:19:13 -0400 From: jmccarty@spd.dsccc.com (Mike McCarty) Subject: Re: Help Win 32 Bit File Virus? (PC) Amir Netiv wrote: )Hi there, ) ) > Help We have been getting an error message when ) > starting Windows 3.1 about not being able to start 32 Bit File Access. ) > This machine has been running for 8 months without this message. ) > It has now jumped to another machine through a bootable diskette. ) [stuff deleted] )Last (but not least): Running: ) )FDISK /MBR ) )(of DOS 5 or higher) might help solving this situation (beware of this if your )disk is not standard DOS). Beware of this! Boot from a known clean (uninfected) floppy, and see whether you can access all partitions on your hard drive. If you can, then FDISK/MBR may very well help you, and you can try it. If you cannot access your hard disc, you may have a virus which cannot be removed using this technique, and doing it may make matters worse. Be sure you are booted from a clean floppy when you do it as well, or you may put a new MBR on there, only to have it immediately overwritten by the virus on your floppy. Mike - ---- char *p="char *p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);} ------------------------------ Date: Thu, 18 Aug 94 03:37:55 -0400 From: datadec@corsa.ucr.edu (Kevin Marcus) Subject: Re: changing genP/genB virus (PC) Vesselin Bontchev wrote: >Jay_Leiser (jayl@dorsai.dorsai.org) writes: > >> I need some info. We got a virus that is detected as the stealth genb >> when booting from hard drive and when booting from floppy it is detected >> as a stealth genp. In addition this virus was detected as the newbug genp. > >The virus that SCAN calls "Stealth [Genb]" is either Stealth_Boot.A or >Stealth_Boot.C - probably the latter. It is based on a virus written >by Mark Ludwig and published in his book that teaches the people how >to write viruses. Don't forget to send him a message, telling him how >much you appreciate his efforts. I suspect that in your particular >case you have the .C variant, because it is more widespread than .A, >but only a scanner that can distinguish between the variants will be Hm. I believe that SCAN detects the virus, "Quox", as "Stealth [Genb]" on floppies, "Stealth [Genp]" on hard drives. It detects the Stealth_Boot.* family as "Stealth Boot [Genb/Genp]". Additionally, I believe Ludwig posts up here, and you could probably even find some messages from him if you wanted. - -- --=> Kevin Marcus: datadec@ucrengr.ucr.edu, tck@bend.ucsd.edu "ciafn syoo,u yroeua da rteh icso?o l ." <- Email for solution. Computer Science Dept., University of California, Riverside. .oOo.oOo. T H I E V E S S U C K .oOo.oOo. ------------------------------ Date: Thu, 18 Aug 94 04:17:30 -0400 From: datadec@corsa.ucr.edu (Kevin Marcus) Subject: Re: Rosenthal Virus Simulator VIRSIM2C.ZIP (PC) Eugen Woiwod wrote: >never mind crappy scanners like MSAV, Norton Anti-Virus and CPAV. Have you *USED* these products? Do you own them? How much experience are you speaking from to make such bold claims? - -- --=> Kevin Marcus: datadec@ucrengr.ucr.edu, tck@bend.ucsd.edu "ciafn syoo,u yroeua da rteh icso?o l ." <- Email for solution. Computer Science Dept., University of California, Riverside. .oOo.oOo. T H I E V E S S U C K .oOo.oOo. ------------------------------ Date: Thu, 18 Aug 94 10:54:01 -0400 From: hermanni@wavu.elma.fi (Mikko Hypponen) Subject: Re: WARNING: VALIDATE.COM and VALIDATE.EXE can be cheated. (PC) Vesselin Bontchev (bontchev@fbihh.informatik.uni-hamburg.de) wrote: > > Or, just replace the VALIDATE.COM file in the archive with a > > bogus copy > > This won't work, because it will print one and the same result for > every file checked. Uhh...I did not mean the example literally; what I meant was that as long the forger can supply the checker-program, he can easily make the checksums of the forged program match the published ones. > > I've never understood why some packages come with the validation > > program included. > > In order to provide the validation program to those who are getting > the package for the first time. Still makes no sense to me; if the validation program was separately available from the same places as the programs to be checked, the users could get it just as easily. However, the users would never have to update the validation program. If the program validates a known good copy of the antivirus program correctly, it will probably validate newer versions correctly as well. This wouldn't provide very high level of security, but it would be just as easy to implement, and would be much more secure than shipping a new validation program with every update (and announcing the correct values over the net). - -- Mikko Hypponen // mikko.hypponen@datafellows.fi // Finland Data Fellows Ltd's F-PROT Professional Support: f-prot@datafellows.fi Check out our WWW site at http://www.datafellows.fi/ ------------------------------ Date: Thu, 18 Aug 94 11:03:40 -0400 From: hermanni@wavu.elma.fi (Mikko Hypponen) Subject: Re: HK Vtech virus & Amoeba (PC) Vesselin Bontchev (bontchev@fbihh.informatik.uni-hamburg.de) wrote: > He probably means the virus that we are calling Lunacy (because it is > such a pathetic attempt to write a polymorphic virus). I think we received a sample of that specific variant only a month ago, and that one is indeed detected as 'new or modified variant of Jerusalem'. The original variant, which I was talking about, is detected as Jerusalem.Vtech. As I said, we received a sample of that one during March 1994. The third variant, which is currently detected as Jerusalem.Vtech.2886, was received in July 1994. - -- Mikko Hypponen // mikko.hypponen@datafellows.fi // Finland Data Fellows Ltd's F-PROT Professional Support: f-prot@datafellows.fi Check out our WWW site at http://www.datafellows.fi/ ------------------------------ Date: Thu, 18 Aug 94 14:29:23 -0400 From: nicolosic@gacsrv.gactr.uga.edu (Charles Nicolosi) Subject: Has anyone had the sigilit virus? (PC) This morning we came across a virus called "sigilit." I've tried using several different virus removers, including Norton Anti-virus, Central Point, and a couple shareware types. One of them (I can't remember which) says that the virus has been removed. After rebootinh, it is still there. Another- Central Point, I think- says this particular virus is unremovable. Are there any virus scanners out there can can remove this wee beastie? /--------------------------------------------------------------------------\ | Charles Nicolosi | NicolosiC@Gacsrv.Gactr.Uga.Edu | | University of Geogria | | | Georgia Center for Cont. Ed. | ****************** | | Computer Services | ** GO BRAVES !! ** | | Athens GA USA | ****************** | \--------------------------------------------------------------------------/ ------------------------------ Date: Thu, 18 Aug 94 15:58:42 -0400 From: as194@cleveland.Freenet.Edu (Doren Rosenthal) Subject: Rosenthal Virus Simulator(VIRSIM2C.ZIP) (PC) August 17, 1994 Subject: Re: Rosenthal Virus Simulator (VIRSIM2C.ZIP) (PC) Date: Wed Aug 17 06:51:50 1994 Vesselin Bontchev writes: > I am intelligent enough and have enough experience to figure out what > your product does after I heard about it - even before seeing it. > After I saw it, I saw that I was right in my assumptions, which didn't > surprise me at all. Vess, I don't think anyone doubts that your level of intelligence allows you to form an opinion about a product, even before seeing it, and find your assumptions would latter not surprise you at all. I'm sorry you feel it necessary to defend your intelligence and I don't believe a personal attack on your intellect has any place in a scientific forum. If your intelligence has ever been called into question, it was certainly not by anything I said. Perhaps you could take this opportunity to publicly reveal your IQ and put to rest any doubts. Doren Rosenthal ------------------------------ Date: Thu, 18 Aug 94 17:07:47 -0400 From: rodrigde@cat.cce.usp.br (Derneval R R da Cunha) Subject: HELP FKRUEGER (PC) I 'm having some trouble with a virus that freezes the keyboard and attacks the all exe files. When I use the scan 2.02 it says the name of the virus is FKRUEGER. Just like that in capital characters. But the clean 116 says it doesn't know what am i talking about, when i type fkrueger or else and doesn't do a thing. I just deleted the files, but would like very much to know any info about the virus, i'll thank. Sig. Derneval - -- +-------------------------------------------------------------------------+ | I log in, therefore I am. Reality is for people without Internet access.| | Eu acesso, logo existo. Realidade e' para aqueles sem conta na Internet.| | Internet: rodrigde@cat.cce.usp.br | | wu100@fim.uni-erlangen.de | +-------------------------------------------------------------------------+ ------------------------------ Date: 18 Aug 94 22:35:55 +0000 From: garcia@bkfsu1.sedalia.sinet.slb.com (Geoframe User) Subject: Re: TranScan (PC) : Jim Wood (jwood@az15eh09.iac.honeywell.com) writes: : > Has anyone heard of or used the TranScan virus detecting software? There is a DOS based BBS utility called TranScan. It is not virus detecting software, but rather a "shell" for such. Among various other things it can be set up to automatically run Scan or F-Prot, or whatever the BBS sysop desires, each time someone uploads a file to the BBS. This may or may not be the program Jim was inquiring about. Steve Garcia garcia@bakersfield.geoquest.slb.com ------------------------------ Date: Thu, 18 Aug 94 21:25:58 -0400 From: nhirsch@panix.com (Norman Hirsch) Subject: Re: McAfee Virus Scan (PC) weekh@merlion.singnet.com.sg (Wee Keng Hor) writes: >From: weekh@merlion.singnet.com.sg (Wee Keng Hor) >Subject: McAfee Virus Scan (PC) >Date: 16 Aug 1994 10:48:13 -0000 >Recently McAfee has released 2 kinds of virus scan. Besides the >normal scanvXXX.zip, cleanXXX.zip etc, it also has another kind >of virus scanning s/w. >Can someone tell me what are the differences between them or are >they the same? McAfee's "classic" SCANVxxx, CLEANxxx, WSCANxxx and VSHLDxxx programs have been around for about 5 years with minor updates/upgrades along the way. The "new" programs are total re-writes including SCAN with built in CLEAN (invoked with the /CLEAN switch), VSHIELD, and a true Windows version: WSCAN. As of this date, I still recommend the "classic" versions until all the detection and especially cleaning capabilities are built in. The "new" versions have separate .DAT files which are shared by all the programs so simple signature updates will only require these files be updated. The "new" SCANner is much faster and will eventually be more accurate. The "new" VSHIELD loads in upper, expanded or extended memory and splits itself up to minimize normal 640K memory. Because the "new" VSHIELD uses the same .DAT files, it (eventually) will detect all the same viruses that SCAN does. Because it loads into upper and/or expanded or extended memory, it doesn't have the problems that the "classic" version of VSHIELD (VSHLDxxx) has which is a compromise of including the viruses needed to be detected versus increasing the memory requirements. The "new" Windows version is a true Windows program as opposed to the "shell" that WSCANxxx is. I expect the "new" version to surpass the "classic" versions with a few months. I liken it to a relay race where the "classic" version has been around the track and is passing off the baton to the "new" version. Currently, they are both holding the baton although the "classic" version is still in the lead. You can ftp the files and see the differences yourself from mcafee.com or other mirror sites. Which reminds me. The "new" versions have an E(valuation) version which displays an evaluation message and a L(icensed) version which does not have the message. Otherwise the E and L versions are identical. I hope this answers your question. Best regards, Norman Hirsch Phone: 212-304-9660 NH&A, authorized McAfee agent Fax: 212-304-9759 577 Isham St. # 2-B BBS: 212-304-9759,,,,,,,3 New York, NY 10034 CompuServe: 72115,661 USA Internet: nhirsch@panix.com ------------------------------ Date: Thu, 18 Aug 94 21:35:19 -0400 From: swk@po.CWRU.Edu (Steven W. Kehrli) Subject: New Stoned Virus? (PC) There is a virus residing in the boot sector of a hard drive. F-PROT 2.13a reports it as a new Stoned variant and cannot disinfect it. It has not exhibited any destructive behavior as of yet, but does infect other boot sectors (i.e. formatting a floppy disk on the system). Its behavior seems to give precedence to the infected disk drive over all other drives, so trying to boot an infected floppy still boots the hard drive. When booting off of a clean system disk, the hard disk is not valid and FDISK reports erroneous results. Is there anyway of excising this virus off of the hard drive outside of wiping it and reinstalling everything? Steve swk@po.cwru.edu ------------------------------ Date: Thu, 18 Aug 94 22:03:51 -0400 From: nhirsch@panix.com (Norman Hirsch) Subject: Re: Network virus protect (PC) mjb@doc.ic.ac.uk (Matthew Jude Brown) writes: >From: mjb@doc.ic.ac.uk (Matthew Jude Brown) >Subject: Re: Network virus protect (PC) >Date: 17 Aug 1994 10:45:06 -0000 >mikko.hypponen@wavu.elma.fi (Mikko Hypponen) writes: >>Robert Schifreen (hex@cix.compulink.co.uk) wrote: >>> It's better to use a program like this on a LAN, rather than siply >>> running stand-alone scanners on the workstations. >> >>No, no. It's a common misunderstanding that an anti-virus NLM running >>on a Novell server could replace workstation-based virus protection. >>The reason a NLM by itself does not provide sufficient protection is >>the existance of the boot sector viruses. >This is why at least some of the NLM products these days work in association >with a small TSR on each workstation that sends the boot sectors of disks >to the NLM for scanning. Of course, stealth boot-sector viruses can defeat >this, but the situation is better than you describe. This is the reason why the BOOT ROM's are being produced by McAfee and others to go directly onto the NIC and check for boot-sector viruses on boot-up. Best regards, Norman Hirsch Phone: 212-304-9660 NH&A, authorized McAfee agent Fax: 212-304-9759 577 Isham St. # 2-B BBS: 212-304-9759,,,,,,,3 New York, NY 10034 CompuServe: 72115,661 USA Internet: nhirsch@panix.com ------------------------------ Date: Fri, 19 Aug 94 04:16:05 -0400 From: "Frank W. Felzmann - BSI" Subject: Junkie virus and McAfee Scan 117 (PC) Junkie is a multipartite virus, i.e. it can infect all files (fast infector!) with the extension CO? (so also all COM-files) and the boot sector of floppy disks and the master boot record of harddisks. McAfee SCAN 9.30. V117 detects Junkie o n l y in files, n o t in the MBR (master boot record) of infected hard disks and n o t in the boot sector of infected floppy disks. There is not even the misleading "GenB/GenP" standard message! F-PROT 2.13a detects Junkie in files, MBRs and boot sectors, but is only able to remove/delete the file variants. In the case of boot sectors F-PROT 2.13a says "Possibly a new variant of Junkie" and therefore is no removing/deleting. Regards, Frank W. Felzmann e-mail: fwf@bsi.de - ---------------------------------------------------------------- BSI - Bundesamt fuer Sicherheit in der Informationstechnik, Bonn Voice +49-228-9582-248 / FAX +49-228-9582-400 GISA - German Information Security Agency - ---------------------------------------------------------------- ------------------------------ Date: Thu, 18 Aug 94 01:45:17 -0400 From: bondt@dutiws.TWI.TUDelft.NL (Piet de Bondt) Subject: tbav623 - Thunderbyte anti-virus v6.23 (Complete/Optimized/Windows) I have uploaded to the SimTel Software Repository (available by anonymous ftp from the primary mirror site OAK.Oakland.Edu and its mirrors): SimTel/msdos/virus/ tbav623.zip Thunderbyte anti-virus pgm (complete) v6.23 tbavw623.zip Thunderbyte anti-virus pgm (windows) v6.23 tbavx623.zip TBAV anti-virus - processor optimized versions Replaces: SimTel/msdos/virus tbav622.zip and older tbavw622.zip and older tbavx622.zip and older The Thunderbyte Anti-Virus utilities are ShareWare. There are 4 security modules (TbScan, TbScanX, TbClean, TbMon) included. These modules are programmed in assembler and there for very fast! TbScan is a signature, heuristic and CRC scanner. It detects known, unknown and future viruses. TbScanX is the resident version of TbScan. TbClean is the first heuristic cleaner in the world. Even an infected file with an unknown virus can be cleaned. TbMon consists of 3 resident programs (TbMem, TbFile, TbDisk) which monitors your system against unknown viruses. From version 6.22 a complete Windows version is available. Note that for Windows you need both the Windows and the DOS files ! TBAV is uploaded by it's authors to anon-ftp site ftp.twi.tudelft.nl in dir /pub/msdos/virus/tbav) and from there distributed to SimTel, garbo.uwasa.fi and nic.funet.fi and from there to their mirror-sites. Greetings, Piet de Bondt bondt@dutiws.twi.tudelft.nl ============================================================================== FTP-Admin for MSDOS Anti-virus software at anon-ftp-site: ftp.twi.tudelft.nl ------------------------------ End of VIRUS-L Digest [Volume 7 Issue 72] *****************************************