VIRUS-L Digest Friday, 30 Sep 1994 Volume 7 : Issue 78 Today's Topics: [Lets stop the] Flame Wars Personal Attacks Re: Netcom distributing viruses Re: Netcom distributing viruses Video Virus? How does one become an insider? virus terrorists (?) Looking for specific-purpose virus scanner (PC) Re: Rosenthal Virus Simulator VIRSIM2C.ZIP (PC) Faulty Complaint re: Rosenthal Virus Simulator (PC) Re: Rosenthal Virus Simulator (VIRSIM2C.ZIP) (PC) Re: Rosenthal Virus Simulator (VIRSIM2C.ZIP) (PC) Info on "Kampana"? (PC) Re: Rosenthal Virus Simulator (VIRSIM2C.ZIP) (PC) Re: Help need to get rid of Michelangelo (PC) Re: Smeg viruses (PC) Re: McAfee Virus Scan (PC) Re: Virus Source code on CD ROM? (PC) Help please: a new virus? (PC) Re: Virus Source code on CD ROM? (PC) Re: A new virus? (PC) Re: KOH (PC) Re: Rosenthal Virus Simulator (PC) Re: Rosenthal Virus Simulator (PC) Re: Rosenthal Virus Simulator (PC) Re: Fixing the boot sector of a floppy? (PC) Re: Fixing the boot sector of a floppy? (PC) Re: Need Help on "V-SIGN" virus (PC) Thunderbyte anti-virus - how good? (PC) Re: HELP: trying to find cure for a unknown virus (PC) Virus - Russian 32 or 37? (PC) Central Point Update? ---- FTP site? (PC) Help Filler virus (PC) Re: Possible undetectable virus?? (PC) Re: McAfee Virus Scan (PC) Re: Server-downing virii (PC) Info need on Hasita / J&M virus (PC) Honecker ??? (PC) Lenart? or CPAV blof. (PC) Fixing the boot sector of a floppy? (PC) Best Anti-virus software (PC) Stealth.B Pain (PC) Thunderbyte Antivirus (PC) Possible virus? (PC) Re: Tripwire V1.2 Release (Finally!) September 1 WildList (PC) vds30p.zip - AV package w/scanner, integrity checker etc. (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CORSA.UCR.EDU (IP number 138.23.166.133) or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CORSA.UCR.EDU. Administrative mail (e.g., comments, suggestions, beer recipes) should be sent to me at: krvw@ASSIST.MIL. All submissions should be sent to: VIRUS-L@Lehigh.edu. Ken van Wyk ---------------------------------------------------------------------- Date: Fri, 02 Sep 94 12:07:57 -0400 From: rind@enterprise.bih (David Rind) Subject: [Lets stop the] Flame Wars I realize that I have little standing to post in this group, since I only read it and virtually never participate. However, I would like to suggest that the current rate of flames is detracting from the usefulness of the group. I have found the posts here in the past to be extremely helpful to me in keeping up with current virus problems and in learning about PC viruses. Recently there have been a large volume of posts that are responses to responses to responses to flames. Many of these come from the most knowledgeable posters to comp.virus who feel obligated to slap down hard those people making foolish posts. I suspect that this slapping down could be done with one or at most two responses, and that those of us who read comp.virus would get the gist of what was being said without need for further repetition. [Moderator's note: I agree! I have been allowing many of the recent posts to pass because each side has accused me of censoring them. Nonetheless, the "conversations" have gone nowhere, with the language only getting more and more heated. Consider this a plea to the contributors to voluntarily cool down, or else I will start forwarding the flames directly to /dev/null, where they'll be appreciated for what they are. :-) On another topic, the moderator (that'd be me) is back from a very busy travel schedule; my apologies for the delays in getting everyone's postings out. I'll try to un-jam the log jam over the next several days.] - -- David Rind rind@enterprise.bih.harvard.edu ------------------------------ Date: Wed, 31 Aug 94 20:49:12 -0400 From: jmccarty@spd.dsccc.com (Mike McCarty) Subject: Personal Attacks Iolo Davidson wrote: ) jmccarty@spd.dsccc.com "Mike McCarty" writes: ) )> Furthermore, I believe that the charter (if it indeed forbids offering )> virus material, I haven't seen the charter) should be changed. ) )You will be outvoted. By Doren Rosenthal, for one. Why would anyone )buy his simulated viruses if they could get the real thing for free? I don't think that I will be outvoted by one person. Unless you believe that some person's votes count more than others. Your second point is well taken. I still haven't seen a copy of the charter. )> Let's face it. Those who want to get copies of viruses -can- get them. ) )But not from this respectable and responsible newsgroup. You seem to imply that getting a copy of a virus is somehow unrespectable or irresponsible. Is this the case? If so, then I disagree with you. Incidentally, do you get copies of viruses? Do you trade them with AV experts? )> I call on the Moderator to gag Vesselin for making personal attacks )> which are libellous and off-topic. ) )This from a professed proponent of liberty and free speech. I think we )get it now, Mike. I am a proponent of liberty and free speech. I am an opponent of libel. Why do you confuse liberty with license? I do not think you "get it" at all. In fact, I think I am annoyed by your seemingly arrogant attitude. I don't believe you misunderstood me a bit. You seem to say that it is ok for Vesselin to call someone a LIAR in all caps without presenting a single shred of evidence, but not ok for me to ask the moderator to stop him. Who is the hypocrite here? EVERYONE SAW WHAT VESSELIN WROTE. I called (gently I hope) for him to quit using such obviously libellous language, and to temper his statements. In private correspondence, he refused to do such, and in fact began imputing impure motives to me as well. If Vesselin had presented a reasonable, cogent, compelling argument to support his use of words such as: LIAR fraud Rubbish! (in reference to a product) then there would be no argument at all. I don't want the moderator to gag him for making any and all statements, just the ones which are plainly torts (unless supported). Vesselin does make (from time to time) useful and helpful comments. I would deplore attempts to censure him (i.e. stop him from publishing BEFORE reading what the content is). I think that doing so would be a detriment to this newsgroup. [Moderator's note: Presumably, you meant censor, not censure...?] By the way, several persons have sent me private correspondence supporting me in my position. I have received none (public or private) contrary to my position except from: frisk iolo bontchev (I might have seen one or two from others, I haven't kept exact track, but these are the only ones I remember.) I might add that the order given is also the order of decreasing politeness in the way the disagreement was stated. The ones who have supported me have stated that they wish they had the courage to say the same things, and deplored the arrogant self-serving attitudes of those who have appointed themselves as the virus police of the world. So far, the only person to be truly abusive (to me) is Vesselin Bontchev, although he at least did not do it in public. Another question: Why do you care that I don't like Vesselin to call people LIAR in public without presenting evidence when it is requested? Boy does this thread seem to be getting off topic of viruses. [Moderator's note: Yes, very much off the topic. I'd like to ask you, Vesselin, and whomever else wants to participate in this thread to do so off-line.] Mike - ---- char *p="char *p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);} ------------------------------ Date: Thu, 01 Sep 94 00:33:01 -0400 From: jmccarty@spd.dsccc.com (Mike McCarty) Subject: Re: Netcom distributing viruses Vesselin Bontchev wrote: )Yaron Y. Goland (ygoland@hollywood.cinenet.net) writes: [stuff deleted] )Unfortunately, the 'net is not confined to the United States of )America, and what Netcom does causes impact to several other )countries, where actions like that are considered illegal. So those countries have a problem enforcing their (IMO oppressive) laws. As ex-president Salinas said of the USA and our illegal drugs "The USA does not have a drug supply problem, it has a drug use problem." [more stuff deleted] )Well, the last time I've looked, exporting cryptographic programs from )the USA was not allowed, even if this software was freely available )around the world. If you don't believe me, try to get a permission to )export a diskette containing source code of programs THAT HAS BEEN )PUBLISHED IN A BOOK (Bruce Schneier's "Applied Cryptography"). You'll )be met by a firm "NO". It seems that there isn't *that* much freedom )to do whatever you want in the USA, after all... I disagree with this law, and would like to see it repealed. I dislike oppressive government even less in my own than in other countries. [more stuff deleted] )Sure, we will. I also think that making it illegal to *write* a virus )is a serious infringement on a person's liberty. However, I also )believe that it should be made a crime ("criminal negligeance"?) to )give a virus to somebody who you are not convinced that they would be )competent and responsible enough to handle it properly. Hey! We agree! I think it would be difficult to properly write such a law, but I think it could be done. Wording would be something like: An act making it a crime to distribute programs with malicious intent, or to distribute programs containing malicious code to persons whom the distributor knows or has reason to believe will use or distribute the programs with malicious intent... Mike - ---- char *p="char *p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);} ------------------------------ Date: Thu, 01 Sep 94 10:23:36 -0400 From: olson@umbc.edu (Bryan G. Olson; CMSC (G)) Subject: Re: Netcom distributing viruses Vesselin Bontchev (bontchev@fbihh.informatik.uni-hamburg.de) wrote: : [...] I also think that making it illegal to *write* a virus : is a serious infringement on a person's liberty. However, I also : believe that it should be made a crime ("criminal negligeance"?) to : give a virus to somebody who you are not convinced that they would be : competent and responsible enough to handle it properly. I have to disagree. Reserving information for the privileged few is at least as bad as banning its dissemination altogether. How do we put people in categories as to who is and is not "responsible enough" ? - --Bryan ------------------------------ Date: Thu, 01 Sep 94 15:29:59 -0400 From: chris584@aol.com (Chris584) Subject: Video Virus? We have had several monitors fail during the last month, and have read that there are viruses capable of altering the frequencies/voltages sent to video monitors and/or cards. Is this true? Are there virus detection programs capable of detecting these viruses? Which ones? Please advise. Thanks. C. Harper ------------------------------ Date: Fri, 02 Sep 94 20:11:56 -0400 From: dnikuya@netcom.com (dave nikuya) Subject: How does one become an insider? Dear Friends, I have only recently gained access to the internet, through the now infamous Netcom service provider. I have the temerity to make a rather lengthy posting to this newsgroup because I feel very strongly about the issues involved. I beg your indulgence in advance for my inexact analogies, and hope that any flames produced are directed at my main points and not at minor mistakes. I also apologize in advance to Vesselin and anyone else who may take my comments personally; they are not intended to question anyone's character, but rather to state my case for a viewpoint that seems to be in disfavor with many important contributors to this forum. I consider Vesselin one of the most helpful and knowledgeable people on the net, but I must question some of his comments: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) writes: >Yaron Y. Goland (ygoland@hollywood.cinenet.net) writes: > >> That netcom allows it's users to distribute viral code and related >> information when clearly marked as such is required as a basic >> characteristic of freedom as defined in the United States of America. > >Unfortunately, the 'net is not confined to the United States of >America, and what Netcom does causes impact to several other >countries, where actions like that are considered illegal. Surely you don't mean that it's unfortunate that the net is not confined to the US :), and surely you don't mean that US net services should be confined to that which is legal in every country? For example, would you advocate censoring the discussion groups on politics, sex, and religion, to make them acceptable to the government of Iran? >> I realize that many people in this group come from countries where the >> emphases of society is placed upon the society and not the individual. >> Thus society feels perfectly within it's rights to restrict the rights >> of the individual at any time it feels a threat to itself. > >Exactly. Of course, the problem here is that society is not monolithic, and in practice it is not society that restricts the rights of the individual, but a very small group of people who have gained (by whatever means) the power to decide issues for everyone. A paradox of government, recognized even by the ancient Greeks, is that people of the necessary quality, wisdom, and integrity to decide these issues for society are among those least likely to possess the ambition and ruthlessness required to obtain high public office. Thus, Americans have a traditional distrust of people who want to tell them what is good for them, especially when there appears to be a conflict of interest (see below). <...> >> Many of the people who read this group are considered by the public as >> experts on the subject of computer viruses and their views will be >> sought when legislation relating to virus and malicious software is >> written. I hope they will keep in mind the nature of freedom, its >> costs as well as its benefits. > >Sure, we will. I also think that making it illegal to *write* a virus >is a serious infringement on a person's liberty. However, I also >believe that it should be made a crime ("criminal negligeance"?) to >give a virus to somebody who you are not convinced that they would be >competent and responsible enough to handle it properly. Well, this is a very stringent requirement. While I sympathize with your motives, I am sure that you are aware that many people suspect elements of the anti-virus community of spreading viruses in order to increase demand for their services. And as I have already stated, I consider you to be one of the most helpful and competent people in cyberspace, but I do not know you personally, and I recently saw an article which stated that some people believe that you are the Dark Avenger. So it would be very difficult for anyone to _prove_ that he should be one of the elite to whom people can send viruses in full confidence that they won't be misused. Can there be no middle ground, where a responsible entity can make viruses available to adults willing to identify themselves and sign a statement promising responsible use, to remain on file? By way of analogy, guns are obviously very dangerous, and are involved in thousands of crimes and accidents every day. Yet in the US, you do not have to prove that you are responsible and competent to buy a gun; you only have to prove (at most, and very informally) that you are not a convicted felon or a lunatic. (I am not saying this is good or bad; I am saying that this is the kind of tradeoff between freedom and risk that is traditional in the US). Another thing we have learned in the US is that making things illegal can create new problems. With alcohol in the 1920's and many drugs today, the benefit of less people using the drug seems to have been offset by the increased crime caused by the vicious gangsters who struggle for control of the drug market, habitual users committing burglaries and robberies to obtain the money necessary to buy the drug at the much higher prices that black marketeers charge, and otherwise good citizens having their lives ruined because they were caught experimenting with a recreational drug. The parallel I am trying to draw is that if distribution of clearly marked viruses is made illegal, then people who want to get viruses in spite of the law will still do so, but their only source will be the underground BBS's that demand a new virus as initiation, so that you may have the unintended effect of increasing the production of viruses, and the proliferation of BBS's run by unsavory characters. As a possible example, and I may be wrong about this, but my impression is that the Ludwig-bashers in this forum may have done more harm than good. If you read the early issues of his newsletter, it seems he was really trying to put out good information of use to researchers, but in later issues he includes articles that seem slanted more toward the people wanting to spread viruses than to contain them. Perhaps he could have gone either way in the beginning, but the vituperation he got from the "legitimate" AV community, plus whatever success the AV community had in keeping "respectable" people from subscribing to his publications, left him with nothing to lose among researchers and a customer base with a disproportionate number of non-respectable characters. Even so, I really do consider it ironic that many PC magazines consider themselves too pure to carry his ads, but have pages of ads for pornographic CD-ROMS. The real danger I see is that many people who are interested in learning about viruses will have no legal way to do it. Let me lay my cards on the table and explain why this is a real fear for me: there seems to be a very small number of established AV researchers, some of whom are regular contributors to this forum, who are widely accepted as the "legitimate" AV community. While I am sure that it is unintentional, there is often an undercurrent of condescension or even ridicule when these insiders refer to people who are interested in AV activities, but who have not established themselves as members of this community. For example, Vesselin's statement regarding Ludwig's CD-ROM: "most respectable anti-virus researchers refuse to even take a look at it." Well, I bought it, and I also subscribe to his newsletter. Yes! I admit it! And yet I don't feel that I am a contemptible person, and in moments of high self-esteem would even consider myself "respectable". My problem is that I am not an "insider" in the AV community, so I can't just ask strangers to send me their viruses like you do. It is not at all clear to me how an outsider becomes an insider in the AV community. Must one work for a Fortune 500 company, or at a major university? It seems to me that there are many sincere and competent people who would not meet these criteria, and possibly some nefarious and incompetent people who would. Am I completely ignorant of the facts? Is there some professional organization that I can join which will allow me access to the virus libraries even though I am not a Ph.D.? I happen to be fascinated with assembler language and direct control of devices on PCs. With the proliferation of cheap Pentium machines and gigabyte hard drives, it seems that the market for programmers has irrevocably swung toward rapid, visual development, and that hand- crafted, fine-tuned code is not in much demand anymore. However, knowledge of machine language and device control would seem to be very helpful in AV research, and I would like to pursue a career in this area. I have been sufficiently humbled by Vesselin's and Frisk's excellent postings to realize that I will not be able to write a competitive product from scratch, but I don't think it's unreasonable to aim at a career where I either become an expert in detection and eradication using existing products, and work as a consultant or troubleshooter to businesses; or possibly even go to work for an AV vendor as a programmer. I am still developing my skills in this area and can not afford to quit my current job to pursue this full time, so it will likely be some years before I can hope to enter the insider AV community on merit. However, it seems that many of the insiders are setting up criteria that will guarantee that outsiders remain so indefinitely. The most obvious example of this is regarding virus exchange. I have seen many posts from insiders that encourage questioners to send them a virus for study. Then these same insiders discourage making viruses available for study to anyone else. This is what I was alluding to above when I mentioned a conflict of interest: they are acting so as to perpetuate their monopoly on expertise. The appearance of a conflict is even more strongly suggested by the fact that these insiders are rightly considered as authorities by the general public, and when they are asked for a solution to a virus problem, they recommend each other's commercial products. No problem there, I recommend them too---but I don't try to keep new players out of the field. It seems to me that learning to solve virus problems without working with real viruses is like learning to ski or swim by reading books--- the theoretical knowledge is useful, but it's no substitute for real experience. No less authorities than Vesselin and Frisk have made very forceful posts that simulators are useless for working with AV products, so what am I to do? I consider myself a responsible, competent, and sincere student of viruses. I have nothing but contempt for anyone who would encourage or allow the distribution of unmarked, infectious viruses to an unknowing person. I feel that I need live viruses to increase my knowledge of them and the products that combat them, but I am not an insider, so I can't get them from CARO or whatever. That leaves me two choices---get them from Ludwig's CD or an FTP site, or get them from a BBS that requires me to first contribute a new virus. I would never do the second, hence I am forced to do the first, and am consequently insulted by comments in this forum that imply anyone buying Ludwig's disc has some deficiency. I can stand the insult, but you will put me in a very difficult position if you are able to carry out your campaign of making illegal the availability of clearly marked viruses to people who accept the risk and responsibility. I beg you to recall that you were not always a world-renowned authority, and that you wouldn't be one today if someone hadn't taken a chance by providing you with live viruses. And if I may say this without offense, if the laws did become more restrictive, a student at a Bulgarian university would probably not be high on the list of people to trust with viruses. P.S. Vesselin, if I may address your point about selling an infectious biological virus to all comers: of course this would be ridiculous. But there are at least three differences which make the risk-benefit equation different in the case of computer viruses: 1) It is much more difficult to defend myself against a biological virus that can be transmitted by air, water, food, contact, etc., than against a computer virus that can only enter my computer via two well- defined and well-controlled routes (floppy and NIC). 2) There may be a significant risk that a non-expert will inadvertently spread a very infectious biological virus, (e.g. if he accidentally touches or inhales it). There is virtually no chance that anyone of normal intelligence and taking normal precautions will inadvertently spread a computer virus (please note I am referring here to situations in which the person has deliberately asked for and received a clearly marked virus). The only way I can transmit a virus from the (non-networked, at home) PC that I use for virus research is to write to a floppy with it, remove the floppy, carry the floppy to work, and put the floppy in another machine. Very rudimentary precautions, such as using colored floppies on my virus machine, would make the above sequence require deliberate action. 3) The chances that an independent researcher working at home will make a significant contribution to molecular biology are negligible. Significant innovations and products are created by independent PC researchers all the time. If I may also correct one statement of fact, you implied in another thread that KOH source is not available. In fact, the source was published in Ludwig's newsletter (V2N2). > >Regards, >Vesselin Highest respect, Dave N. - -- dnikuya@netcom.com ------------------------------ Date: Sat, 20 Aug 94 00:05:09 +0200 From: Rinse_Balk@f7.n316.z9.virnet.bad.se (Rinse Balk) Subject: virus terrorists (?) Hello Craig! 15 Jul 94 11:42, Craig wrote to All: C> I still fail to see why frustrated people would do this. Personally I don't have problems with people who write virusses. But I dislike people who spread their virusses. C> Why don't they C> find some hobby like fishing, some kind of sport/athletic activity, etc. I think you can see virus-writing as a sport. I mean, look at virusses Dark Avenger wrote. Some of them are still undetectable or real hard to detect. You can see it as a competition between the virus writer and the anti-virus writer. The problem is that so many people become victom of such things. Whole business' adminitrations gone etc. C> instead of causing havoc and lost work for millions of people worldwide. C> If frustrated people want to possibly exercise their intellect why not take C> up chess and win several tournaments. Yep, that's the sickness about those people. Or make a real competition between computer virusses, but don't harm innocent people.. Virusses are cruel.. Greetz from Beetsterzwaag (Friesland), Rinse - --- FMail 0.96b * Origin: It's All Or Nothing * Sa&Su 10:00-21:00 * 05126-2412 (9:316/7) ------------------------------ Date: Wed, 31 Aug 94 22:24:46 +0000 From: Mark Mckenzie Subject: Looking for specific-purpose virus scanner (PC) I am looking for a virus scanner that can be used with a network that scans periodically all files entering the system. If there is a syst out there that only operates when the network isn't busy, that would be even better. Something like a virus shield isn't exactly what I want, because the program should be tranparent unless a virus is found. Something that only works on bootup isn't good either, because often the network servers are running for long periods of time. Does such a program exist? Thanks... - -Mark Mckenzie ------------------------------ Date: Wed, 31 Aug 94 19:58:10 -0400 From: jmccarty@spd.dsccc.com (Mike McCarty) Subject: Re: Rosenthal Virus Simulator VIRSIM2C.ZIP (PC) Fridrik Skulason wrote: ) )jmccarty@spd.dsccc.com (Mike McCarty) writes: ) )>Um, that's not true. The famous Internet Virus resulted in a Felony )>conviction. Have you forgotten? ) )No....but that was not a virus...it was a worm. ) )- -frisk I find that the distinction doesn't make much sense in the context of your complaint. You complained that the USA was not doing much to combat viruses, and that no convictions came of it. The implication was that: we do not try to find people who write damaging software we do not convict the ones we find The fact that the damaging software did not fit the -exact- definition of -virus- as you define it is beside the point. Mike - ---- char *p="char *p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);} ------------------------------ Date: Wed, 31 Aug 94 20:06:12 -0400 From: jmccarty@spd.dsccc.com (Mike McCarty) Subject: Faulty Complaint re: Rosenthal Virus Simulator (PC) A.APPLEYARD wrote: ) jmccarty@spd.dsccc.com (Mike McCarty) wrote on Thu 18 Aug 94 00:48:12 -0400 )(Subject: Re: Rosenthal Virus Simulator (PC)):- ) > ... The -fact- is that viruses are -dangerous-. Whether Doren has succeded )in taming one so that it is -controllable- (I do not say benign, nor do I say )"good") I do not know. ... ) ) For some time now, up to six Virus-L messages per issue have been coming out )with `Rosenthal Virus Simulator' in their Subject: lines. Of these, some are )indeed about the Rosenthal Virus Simulator. OK. But many of them are about no )such thing but about the ethics of virus writing etc. And one is about neither )of those two subjects but is solely replying to a flame about antivirals. And )one is about MtE. This persistent lack of match of Subject: line and contents )causes great nuisance to me as indexer, and to people using the index. ) OK, so the subject of this line of messages has shifted. That happens. But )when continuing a line of messages replying to other messages, by using your )emailer's `reply' instruction, change the Subject: line if necessary )so that it describes what your message is about. I think you must have chosen the wrong lines to complain about. The lines you quoted very definitely have as their subject Doren Rosenthal's virus simulator package. Mike - ---- char *p="char *p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);} ------------------------------ Date: Wed, 31 Aug 94 21:08:28 -0400 From: jmccarty@spd.dsccc.com (Mike McCarty) Subject: Re: Rosenthal Virus Simulator (VIRSIM2C.ZIP) (PC) Iolo Davidson wrote: ) jmccarty@spd.dsccc.com "Mike McCarty" writes: ) )> I commend you for showing a more mature attitude in these latest )> posts. ) )Ouch! That must have hurt. I think I would prefer to be snakebit than )get a compliment handed down from a high moral peak like this. I would )like to state in advance that *I* have absolutely no virtues observable )from the altitude where Mike sits, and if he claims to see any, it must )be a trick of atmospheric refraction. First: The compliment was completely sincere. Second: I haven't seen either you or Vesselin compliment -anybody-, -ever-. Third: I don't claim to sit on high moral peaks. But I certainly have seen you claim to do so, in public, in this newsgroup. Fourth: You are right, I have not as yet observed any virtues in your correspondence, except by comparison with worse attitudes. This post of yours is the most caustic I have seen you post so far. I complained that Vesselin used the word LIAR in all caps, and villified Doren Rosenthal in ways too numerous to go into here. When he was politely asked for any evidence to support his contention of and imputation of evil intent on Doren's part he pointedly refused. And YOU got your feathers ruffled. Frankly, I don't understand why you aren't on my side. Some day =you= may be on the receiving end of unjustified vituperation and acidically injurious attacks by Vesselin. I would defend you then as well. I hope this doesn't just prompt you to another sarcastic remark. Mike - ---- char *p="char *p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);} ------------------------------ Date: Wed, 31 Aug 94 21:32:32 -0400 From: jmccarty@spd.dsccc.com (Mike McCarty) Subject: Re: Rosenthal Virus Simulator (VIRSIM2C.ZIP) (PC) Iolo Davidson wrote: [stuff deleted, including part of the docu. for Virus Simulator] )Not that viruses have signatures, of course. The use of this word )betrays a vast lack of comprehension about how viruses are found in )files, by *detectors*, scanners, or whatever. What an anti-virus )scanner looks for to find a virus depends on the choice of the person )who wrote the scanner. There is no one set search pattern used by )every AV scanner. Anyone who thinks you can take "the signatures (only) )from real viruses" is fundamentally confused about the entire issue, and )cannot be relied upon to say anything sensible on the subject. I think that the use of the word "vast" is perhaps something of an exaggeration, however I believe the point of this paragraph is well taken. The information contained in the quote you gave indeed gave me (as reader) the impression that the author (presumablly Doren Rosenthal) believed and/or intended to convey the impression that viruses had some special attribute called a "signature" (much like my own signature) which is somehow characteristic of the given virus. Viruses, of course, have no such special "signature", and the statement you made is rather to the point. I think that it goes too far to say that he "cannot... say anything sensible". )> Since these are really only dummy viruses, not all infected )> program simulations produced by Virus Simulator will )> trigger every virus detecting program. ) )In fact useless for the purpose for which it is sold. This is actually )a breach of Trading Standards regulations in Britain. Furthermore, )promoting this stuff as a test standard maligns Anti-Virus software )which correctly identifies the non-virus simulation files as not )infected. I am not so sure about this part of your complaint. If he proclaims that the files will not necessarily trigger all virus detecting programs, then I do not think he is violating anything. If he made the statement that any program not detecting his "simulated" viruses is defective, then I think you might have a point. [more snipped] )> Vess... If your not using my Virus Simulator for what it's )> designed to do, it's not going to do a very good job for you. ) )It is designed to mislead people. Vess does not want to do that. Here we go again. Unless you have developed ESP to a new high hitherto unknown to man, then I don't believe you know what is in the designer's mind. I have seen no evidence presented by anyone here that Doren Rosenthal is a conniving person dead-set on fraud and deceit. I -have- seen some evidence that he is wrong. )> Many anti-virus product producers )> appreciate the ability to work with Virus Simulator and have made )> efforts to be compatible. ) )Sounds like some vendors are afraid that if they don't detect viruses )where there aren't any, the dummies who use your simulator will think )their AV is no good. I would rather educate the dummies than cooperate )with the deception. Sounds like you are imputing motives again. You are also showing your disdain for the average computer user. It must be difficult to live in a world filled with "dummies". I live in a world which is filled with intelligent people. Not all of them are computer experts. Were I producing anti-viral products, I would want to educate my users as fully as possible. I would explain the concept of type I and type II errors. I would also explain what techniques were used and relative confidence I placed in each of them. In fact, I believe F-PROT (Frisk?) has pretty good documentation. If I specifically felt that not finding Doren's stuff would make my product look bad, then I would -not- make it report his stuff as a virus, but I -would- either mention it specifically as something which my software was -smart- enough to recognize as not being truly a virus, or put out a special message indicating a -simulated- virus was found. Either of these would look much better to all involved (including customers) than long arguments in the net. Doren: Please provide testimonials to back up your claim that anti-virus producers appreciate using your "simulator". If you can't, then why did you make the claim? )> Please Vess. Won't you at least look at the documentation file )> for *my* anti-virus product. Virus Simulator should only need to )> satisfy the claims I make for it... ) )"And the documentation means what I say it means." I can think of no one better equipped to say what he meant by some documentation than the author. But you seem to think differently, Iolo. Mike - ---- char *p="char *p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);} ------------------------------ Date: Wed, 31 Aug 94 22:47:36 -0400 From: dklein@pluto.njcc.com (Dorothy Klein) Subject: Info on "Kampana"? (PC) Today I was asked to rescue a PC which had seized due to F-Prot's VIRSTOP nipping an epidemic in the bud. The grand total so far is two floppies and the virstopped hard drive. F-Prot version 2.09d called it "Kampana Variant A", said it was an MBR infector, and disinfected it readily. I greatly suspect the infection route was from floppy to hard drive, and not the reverse. OK so far. But when I tried to find information on Kampana, it wasn't in the virus descriptions accessable from F-Prot. The big summary DOC just says that Kampana is detected exactly and disinfectable with F-Prot. VSUM doesn't list Kampana ANYWHERE -- I did a full search for it. So what I'd like to know is, does Kampana play dirty tricks, by design or by defect? I've got a very worried, computer-illiterate professor who is freaking over the infection. Any information will be greatly appreciated! TIA, Dorothy Klein dklein@pluto.njcc.com grad student, Microbiology and Molecular Genetics, Rutgers University More details, if you're interested... The infection _might_ have come from Spain, as it was found on some disks owned by a new researcher fresh from there. Then again, it's the beginning of the semester, so it might have been carried into a computer center by a new or returning student, and thence to us. "Campana" means "bell" in Spanish -- would this virus by any chance make the computer beep? I am one HAPPY F-Prot customer -- the best money I've ever convinced the department to spend. And yes, I did get around to updating to the current version Pretty Darned Quick after slaying the infection :) Nothing like a little reminder to cure procrastination... DK ------------------------------ Date: Wed, 31 Aug 94 23:15:23 -0400 From: jmccarty@spd.dsccc.com (Mike McCarty) Subject: Re: Rosenthal Virus Simulator (VIRSIM2C.ZIP) (PC) Vesselin Bontchev wrote: )Mike McCarty (jmccarty@spd.dsccc.com) writes: ) )[Huge, 21-line quote deleted. Obviously, Mike McCarty thinks that the )readers of this forum are unable to read the previous messages posted )in a particular thread, or that their memory is too short to remember )what has been said.] No, not so obvious. Please don't put words in my mouth. It is rude and shows a lack of maturity. Also see a previous post in which you complain that I deleted too much. [stuff deleted] )> Furthermore, I believe that the charter (if it indeed forbids offering )> virus material, I haven't seen the charter) should be changed. ) )You, of course, are free to believe whatever you want. I, from my )part, believe that your belief is wrong. I am glad that we agree here. We both believe the other has the right to belive something we disagree with. [information from FAQ including request for viruses disallowed deleted] )Elementary politeness requires that you read the FAQ of a newsgroup )before posting there. I have read it, several months ago. I forgot this portion. Thank you for pointing it out to me. Please disregard the requests I made earlier for the charter. )> If the )> purpose here is to educate ourselves about viruses for the purpose of )> eradicating these pestiferous things, then let's do so. ) )Yes, let's. Let's educate ourselves about viruses, how they work, and )how to eradicate them. I have not seen anybody objecting here about )those things. The objections are against virus requests, virus )advertisements, posting viruses here, selling viruses to the people, )etc. Ok, Doren. Are you or are you not offering virus binaries for sale? The stuff I deleted said it is not allowed. Vesselin, you are not objecting only to selling viruses. You are also name-calling. And the stuff I deleted also specifically forbids that, too. Ok, Vesselin, please describe in detail viruses built with MtE: how MtE works how to detect it how to eradicate viruses built with it )> Let's face it. Those who want to get copies of viruses -can- get them. ) )Please explain how is this an excuse to give viruses to anybody who )asks. I do not give viruses to anybody who asks. I have no problem giving them to people who state that they do not intend to use them for malicious purposes. I suspect (though I don't know) that you trade viruses with others. Do you? If so, why do you condemn others for doing what you do? If not, how did you get a collection of thousands of viruses, as you claim? [stuff deleted] )People like Mark Ludwig and others who distribute viruses around make )it more likely that you get infected. No, they make it less likely in my opinion. I think on this point we will just have to agree to disagree. )> Get a grip, Vesselin. ) )I am *very* tempted to reply with "Get a life, Mike" to this, but I )won't... This reminds me of the tired old joke "I'm not a man to say I told you so, but I did tell you so." [more deleted] )No, and I am not saying that it is so. Instead, he does other )unethical things - sells viruses to his customers, for instance. Not an unethical practice unless he misrepresents his product as being other than virus. [more deleted] )First, I didn't claim that he "uses such BBS's", did I? Second, yes, )incidentally I happen to know that he *is* involved in virus exchange )and has been even quoted as "maintaining" the virus collection of )another collector from Slovakia. I believe you did. I do not think that virus exchange is reprehensible. I believe I have seen him quoted as "maintaining" a virus collection for purposes of virus eradication, not maliciously infecting people. I also do not believe this is a reprehensible act. Mike - ---- char *p="char *p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);} ------------------------------ Date: Wed, 31 Aug 94 23:29:42 -0400 From: jmccarty@spd.dsccc.com (Mike McCarty) Subject: Re: Help need to get rid of Michelangelo (PC) Tzu-Soon Jim Horng wrote: [stuff deleted about Michaelangelo infection detection] )I have some experiences dealing with virus, but I can't seem )to remove it by msav.exe or by SYS.COM from a floppy boot up. It seems )that as soon as the computer knows the existance of the harddrive, the )virus is active in memory (no matter which drive I boot it from). Most likely you are booting from an infected floppy. )I do not wish to reformat the whole harddrive, since she does not )have a backup of all the programs. It should not require a reformat. )Questions: )1.How can I remove Michelangelo virus on her system? Boot from a non-infected write-protected floppy. Then make sure that you can access your hard drive, and that all files appear ok. Then make a full backup. Write protect the backup floppies as they come out of the floppy drive. If you have DOS 5.0 or later, use FDISK/MBR to disinfect the hard drive. Then scan again. If the infection seems gone, reboot from the hard drive, and check that you can access all files. If so, your hard drive is clean. If you cannot access the hard drive after booting from a known clean floppy, then you may have a double infection. Obtain enough "clean" formatted floppies to do a full backup. Boot "dirty" from the hard drive and make a backup as described above. Then boot "clean" from a floppy, and scan the backup floppies you made. If no infection is found, then you are ok to proceed. If infection is found, then your backup has corrupted files on it, do not proceed unless you don't mind losing some files. Put FDISK and FORMAT on your bootable floppy (from a clean machine, not the infected one). Use FDISK/MBR to clean the MBR. Then FORMAT the logical drives. Re-install DOS, and restore from your backup. Some of your files are now corrupt. They are not infected, but will contain copies of your original boot sector from the floppies on which the backups were made. You can find which ones by using a disc scanner to look for whatever your OEM signature is on your floppy boot sectors. NORTONs tools can help with this if you are familiar with them. The best defense against viruses is regular backups. )2.Is there a program (shareware or freeware if possible) that can )remove the virus without reformating the harddisk? See above. But you also need to disinfect your floppies. McAfee's clean can do this, but it is definitely tedious. It also needs to be done. )3.How safe is the files on the disk (is the files infected as well?) )Is it too late for me to back up the files now? See above. Mike - ---- char *p="char *p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);} ------------------------------ Date: Wed, 31 Aug 94 23:54:53 -0400 From: jmccarty@spd.dsccc.com (Mike McCarty) Subject: Re: Smeg viruses (PC) Vesselin Bontchev wrote: [stuff deleted] )> (This not to Vesselin) ) )[not-to-Vesselin stuff deleted] ) )Oh, so the above was directed to me? I thought that you are providing )to the user who asked some examples of how outdated and/or deffective )hardware could be the cause those those urban legends. Since you said )that it is directed to me, how, pray tell, does it contradict what I )said? And, if it doesn't (and I find that it supports what I said), )what part of my message leaded you to believe that I don't know it? It was directed to both of you. You made a statement which led me to believe that you thought only outdated monitors could be damaged by software. I specifically stated that the rest was "not to vesselin" not so much as to point out that I was attempting to correct or educate you (I was not) but rather to point out that the rest was unrelated to the previous part. I'm sorry if I gave you the impression I was criticizing you. Mike - ---- char *p="char *p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);} ------------------------------ Date: Wed, 31 Aug 94 23:55:58 -0400 From: jmccarty@spd.dsccc.com (Mike McCarty) Subject: Re: McAfee Virus Scan (PC) Vesselin Bontchev wrote: [stuff deleted] )The new VirusScan as it is now (version 2.10) is *significantly* worse )than the old one (version 117) in the sens that it detects much fewer )viruses and has much more unreliable detections. Therefore, I wouldn't )advise anybody to rely on it for virus protection - at least not until )it catches up with the old one. I also find it gets stuck in infinite loops. Mike - ---- char *p="char *p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);} ------------------------------ Date: Thu, 01 Sep 94 00:00:27 -0400 From: jmccarty@spd.dsccc.com (Mike McCarty) Subject: Re: Virus Source code on CD ROM? (PC) Ian Douglas wrote: [stuff deleted] )What the heck do you think Ludwig is doing? Or is selling viruses somehow )different to spreading them? Yes, selling and spreading are different things. Labs sell HIV. They do not spread it. )We just had this major debate on FidoNet and I have no particular desire to )have it all over again. Suffice it to say that the underground failed to )convince us that giving free access to viruses and virus source code was a )good thing. Nor do I. I am not posting to Fido Net. I am not underground. I do not know who "us" is, but I am convinced that freely accessible virus source will make writing viruses a thing of the past. There is probably no hope of discussing this with you further. )In general, they failed to understand the link between freedom and )responsibility. I -do- understand this. Anyone who obtains and misuses a virus should be held accountable. Just as anyone who obtains a match and misuses it should be held accountable. Mike - ---- char *p="char *p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);} ------------------------------ Date: Thu, 01 Sep 94 00:09:16 -0400 From: clegg@ripco.com (Robert Zubek) Subject: Help please: a new virus? (PC) I'm writing on behalf of my friend, who has recently become a victim of what he understands is a virus. The problem is -- it behaves in quite a peculiar way: 1. When under windows, the screen covers with snow or noise, as if the graphics board was damaged. Under dos there is no noise, but the characters jump from place to place (jump, not fall). 2. The virus have modified NAV, MSAV and CHKDSK to be unexecutable. 3. It has recently updated dates of all the files on his hd. My friend is, indeed, trying to get some more virus detectors, but that may take awhile. Does that description match that of any widely known virus? If so, could you recommend a program to kill it? (I can provide more info about symptoms, if necessary). Regards, Robert - -- Robert Zubek | "It doesn't have to be like this. All we need clegg@rci.ripco.com | to do, is make sure we keep talking." PGP key avail. by finger | - Stephen Hawking ------------------------------ Date: Thu, 01 Sep 94 00:11:02 -0400 From: jmccarty@spd.dsccc.com (Mike McCarty) Subject: Re: Virus Source code on CD ROM? (PC) Vesselin Bontchev wrote: )Mike McCarty (jmccarty@spd.dsccc.com) writes: [stuff deleted] )> I have no problem with people growing and investigating, e.g. HTLV III )> virus. ) )Would you have problems with somebody selling it for 100 bucks in a )drugstore? I might. I would like to know what the stated purpose for the purchase is. It might be reasonable for the drugstore to make note of who sold it. I -definitely- want to see people tried and appropriately punished for misusing it. I'm not sure the analogy I made goes quite this far. I do not think that easy availability of the HTLV III virus would make production of more of it less likely, as I do for computer viruses. )> I have a real problem with members of ACTUP intentionally )> attempting to spread this virus. ) )Well, if this virus was available for $100 in the drugstores, it would )be likely that the members of ACTUP (huh? what's that?) can easily get )hold of it and therefore intentionally attempt to spread it. ACTUP members can -already- get it easily, free, let alone for $100. ACTUP is an organization of homosexual men in the USA who are agitating for more funding for AIDS research and social acceptance of their way of life. They have been known to spit, scratch, and throw blood while claiming to be infected or using infected blood. Infected with HTLV III, I mean. Mike - ---- char *p="char *p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);} ------------------------------ Date: Thu, 01 Sep 94 00:32:54 -0400 From: jmccarty@spd.dsccc.com (Mike McCarty) Subject: Re: A new virus? (PC) Vesselin Bontchev wrote: [stuff deleted] )Indeed, sounds like a virus. I suggest that you send one of those new )files that are created in the place of the originals to some )anti-virus researchers, and especially to the producers of the )products that have failled to detect the virus. Are you requesting virus binaries? Mike - ---- char *p="char *p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);} ------------------------------ Date: Thu, 01 Sep 94 00:33:11 -0400 From: jmccarty@spd.dsccc.com (Mike McCarty) Subject: Re: KOH (PC) Iolo Davidson wrote: [stuff deleted] )> Can someoone please start talking about it? ) )What for? When someone needs help getting rid of it, no doubt the )question will get asked here, but I hope we are not going to get another )thread about so-called "beneficial" viruses. We have just finished that )idea off. Anyone who wishes to promote the use of this or other viruses )(as in a recent long thread in another newsgroup) will not find much )welcome here. I am not so sure you have "finished that idea off". I think that people just got tired of discussing it. There were a few who supported it, a few who vociferously repudiated it. You seem to be saying that those who repudiated it "won" the debate. I very much doubt that. I don't think anything got resolved at all. Mike - ---- char *p="char *p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);} ------------------------------ Date: Thu, 01 Sep 94 00:45:00 -0400 From: jmccarty@spd.dsccc.com (Mike McCarty) Subject: Re: Rosenthal Virus Simulator (PC) Iolo Davidson wrote: ) jmccarty@spd.dsccc.com "Mike McCarty" writes: [stuff deleted] )> The -fact- is that viruses are -dangerous-. ) )True. ) )> Whether Doren has succeded )> in taming one so that it is -controllable- (I do not say benign, )> nor do I say "good") I do not know. ) )If you are not going to say something, all you have to do is not say it. )No virus is either benign or good, so that aspect doesn't come into the )issue. The issue is whether he should continue to distribute a product )which is a sham and/or contains a virus. You seem to be stating opinion as fact. It is a -fact- that you consider no virus to be good. It is your -opinion- that there are no good viruses. [more deleted] )Don't see why this is in your post. Who said it was WRONG? It is )against the charter of this group to advertise viruses here, if that is )what you mean. That does not argue that it is WRONG, only that it )should not be done in this group. There is a big difference between )printing a warning that there has been a virus outbreak somewhere and )printing an email address where you can obtain viruses, if that is what )you are talking about. That is what I was talking about, and I fail to see the difference. If you want to suppress knowledge about where to obtain a virus, then do so. Otherwise stop suppressing such knowledge. Don't pretend there are "safe" declarations of where to obtain a virus, and unsafe ones. I saw here recently "over on ftp site blah.somewhere.abc in directory /pub/erotic_something file xxx_pictures.zip has the zzz virus in it, STAY AWAY FROM THIS FILE" or words to that effect. If this isn't advertising the existence of a virus, I don't know what is. [more deleted] )But users without technical knowledge don't understand that this cannot )test scanners. The original query in this group was about testing )scanners. The people who buy simulated viruses want to test scanners. All of them? You know from personal knowledge that all persons interested in purchasing simulated viruses want to test scanners? This is quite a claim. )> Furthermore, as we say in the US, being forewarned is being forearmed. )> In other words, being prepared is a very useful thing. ) )Which is why it is important to warn people that simulated viruses are )useless for testing anti-virus software. Then they will be prepared to )say "no thanks" when someone offers to sell them some. This has been a )public service announcement. Depends on how the simulation is done. I could write a simple simulation for a boot sector infector. It would read the original boot sector, and attempt to write it back. An int 13 hook type detector should probably sound an alarm, warning of suspicious behavior. )> If Doren has indeed )> produced a -controllable- virus, then experimentation with it )> could definitely have beneficial effects. ) )Not for non-technical people. Technical people don't need his help with )such things, if they wanted to do it, and I see no reason why they )would. And I don't believe the "controllable" claims anyway. I don't believe the controllable claims, I do not disbelieve them. I have no experience with his product, so I have no opinion. I also believe that non-technical people can be intelligent, and could benefit from controlled infection. It is true that technical people don't need help, but might prefer not to spend the time to write their own. I can easily envision a company like mine spending money to train their personnel not to panic when a virus infection occurs. I could see having classes with machines deliberately infected with a virus. The virus could announce its presence in memory constantly. The instructor could lead the class through an infection to see what it looks like, and how it behaves. He could lead them through running a scanner which detects the virus, and clean the hard drive, along with all infected floppies. )> That's the reason for fire drills, not to have )> "pretend" fires, but to have skills in place for )> when a real emergency arises. ) )How about a fire drill that teaches everyone to assemble in the attic )and put a plastic bag over their heads? Non sequitur. - ---- char *p="char *p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);} ------------------------------ Date: Thu, 01 Sep 94 00:50:50 -0400 From: jmccarty@spd.dsccc.com (Mike McCarty) Subject: Re: Rosenthal Virus Simulator (PC) Vesselin Bontchev wrote: )Kevin Marcus (datadec@corsa.ucr.edu) writes: [stuff deleted] )Ahh, but that's a different thing! :-) You see, flight simulators are )not airplanes, so they cannot be used to test the anti-air cannons. )Similarly, Rosenthal's "simulated viruses" are not viruses, so they )cannot be used to test the anti-virus programs. Some are, some are not. The "real" virus is real, as even you have stated (I don't know). His "simulated" viruses, as I understand it, have code fragments designed to trick scanners into false positives. I am not convinced that such files have a real use. But I also do not see selling them as a bad thing, so long as the buyer knows what he is getting. I understand they are shareware, so the user gets to try before buying. [more deleted] )Iolo should answer for himself, of course, but *my* opinion on this )subject is that such users should be trained by competent teachers, )using real viruses in a strictly controlled environment. In fact, )several anti-virus companies provide such training courses; I know for )sure about S&S International, and I think that Sophos has such )seminars too. Ah, I agree with you here, for most people. Others are quite able to learn on their own. I would not prevent selling such training packages to those who want to learn on their own. Which is what Doren offers, I think. [more deleted] )Ugh, no, the US mags do not seem to be more competent. The latest )"tests" in the August issue of BYTE are horrible. They have again )looked mainly at the user interface and the virus detection )capabilities are mantioned by-the-way, as if they are not something )terribly important... :-( If this is true, then :-( indeed! Mike - ---- char *p="char *p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);} ------------------------------ Date: Thu, 01 Sep 94 01:08:32 -0400 From: jmccarty@spd.dsccc.com (Mike McCarty) Subject: Re: Rosenthal Virus Simulator (PC) Vesselin Bontchev wrote: )Mike McCarty (jmccarty@spd.dsccc.com) writes: [stuff deleted] )> The -fact- is that viruses are -dangerous-. ) )Exactly. Glad we agree. )> Whether Doren has succeded )> in taming one so that it is -controllable- (I do not say benign, nor do )> I say "good") I do not know. ) )Well - I do. He hasn't. Ok, that is your opinion. It remains only your opinion until you present evidence. So far you have presented none, except to proclaim repeatedly that the virus is not controlled and/or safe. In exactly what way is it not controlled/safe, and what would you consider criteria for making this decision, and what evidence do you have to support it? [more deleted] )The -fact- is that the average user does not have the technical )knowledge to figure out whether the product is useful. Therefore, the )average user is easily fooled by Rosenthal's claims of usefulness. )That's exactly why I am wasting so much time and bandwidth here to )explain how harmful his product is - in the hope that at least those )users who read this forum will understand it. I don't believe you think you are wasting bandwidth, or you would stop. I believe you think it is worthwhile. Also, your ego is beginning to show a little. I think the average person - -is- able to determine whether any given product is worth spending money. And since they pay only after trying, then they must believe it is worthwhile. And I don't think you should try to make that decision for them. If you think his "simulated viruses" are worthless, don't just loudly proclaim so, and accuse him of evil malicious intent. Present information which supports your position and allow people to make up their minds for themselves. Doren allows people to make up their minds. He publishes and allows them to try. If they don't like it, they don't have to pay. [deleted] )> I believe that a "simulated" virus could indeed be useful for testing )> certain kinds of virus protection software. ) )Well - you are wrong. See below, please. I describe a "simulated" virus which you agree would be useful. )> E.G. I use FLUSHOT+. ) )Beware - this monitoring program is trivial to bypass, and most )contemporary tunnelling viruses do so. Thank you. I already knew that, but it is better than nothing. Anyway, thanks for the warning. Do you know of superior activity detectors? I also have my BIOS detector turned on. It monitors writes to the MBR of the hard disc. It seems to me that this would be quite difficult to bypass. Hmmmm. Perhaps not. If one could recognize the version of the BIOS, and kill the bit in the CMOS RAM which controls the .... Anyway, do you know of superior activity detectors? )> A "simulated" )> virus which read the boot block off a floppy and attempted to write the )> very same data back to the floppy would be a useful program for testing )> the efficacy of such an "activity detector" type of software. Or to do )> something similar to an .exe file. ) )Yes, such a program would be indeed useful to test monitoring )programs. In fact, to make it useful one should implement all known )ways to bypass a monitoring program - so that the user could see which )methods of attack are effective against "his" monitoring program and )which are not. However, you are wrong to think that such program has )to be implemented as a virus. Instead, it should be implemented as a )stand-alone non-replicating program. There is absolutely no need to )make it replicate. I did not claim it should be implemented as a virus. I said it could be implemented as a "simulated" virus. I envisioned a stand-alone program indeed. )> Furthermore, as we say in the US, being forewarned is being forearmed. ) )Unfortunately, it is very dangerous to generalise in this aspect. )Otherwise we would reach the conclusion that every child should have )access to guns, explosives, drugs, poisons, etc. I believe -adults- should have access to these items. -Children- are an entirely different matter. I approve of restricting access to alcoholic beverages in precisely this manner, for example. Mike - ---- char *p="char *p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);} ------------------------------ Date: Thu, 01 Sep 94 01:19:10 -0400 From: jmccarty@spd.dsccc.com (Mike McCarty) Subject: Re: Fixing the boot sector of a floppy? (PC) Iolo Davidson wrote: )> We agree again. It should not be hard to write a utility which would )> read the boot sector off any cleanly formatted disc, fix up the BPB part )> of it and write it to the disc to be "disinfected". Maybe I'll do it. )> But not now, I'm working 14 hours per day as it is. Anyone else want to )> pick up the gauntlet? It would be a good thing! ) )Been done. Dr. Solomon's has had a utility to clean floppy boots for )years. Why is it that neophytes have all the answers when experts who )have worked professionally in the field from the beginning must bumble )along in the dark? I'm glad it has been done. I expected that it had, actually. I will certainly not claim to be anything other than a neophyte. I have been investigating viruses for only about 2 years. I have only cleaned two infections. The first one was for a virus which (at the time I got infected) had no scanners which could identify or clean it. So I wrote my own. The second was for an infection which was identified as Michaelangelo, but when cleaned caused the hard disc to "go away". I edited the MBR by hand using DEBUG and then Norton DISKEDIT (latter is - -much- easier to use), to get the drive back enough to get files off it. So I really am not any kind of expert. I do not claim that you or anyone else "bumbles along in the dark", and I resent your putting words into my mouth. )What Vess was complaining about was that the makers of DOS system )software do not see fit to include a method of replacing boot sectors )without the system files in the standard system utilities shipped on )everyone's computer, not that there wasn't a third party utility to do )this. Probably Vesselin should speak for himself. This is not the way I interpreted his message. However, it makes sense that he would know that such a utility existed somewhere, and not complain unless about DOS. There are many things which MicroSoft has not provied which should have been available long ago. UNDELETE springs to the lips almost immediately. Finally available. A reasonable backup program. Finally available (but better still exists). Mike - ---- char *p="char *p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);} ------------------------------ Date: Thu, 01 Sep 94 02:03:12 -0400 From: jmccarty@spd.dsccc.com (Mike McCarty) Subject: Re: Fixing the boot sector of a floppy? (PC) Vesselin Bontchev wrote: )Mike McCarty (jmccarty@spd.dsccc.com) writes: ) )> )Repeat after me: THERE IS NO SUCH THING AS *THE* GENB/GENP VIRUS. It )> )is a way of McAfee's SCAN to tell you "your boot sector/MBR seems to )> )be infected but I have no idea which particular virus it might be". ) )> What an obnoxious way to educate a user. ) )What an arrogant, petty remark. At least I bothered to educate him. )And did it in such a way, that he (and probably a few others) will )*remember* the information - and maybe even pass it to others. You )have joined this newsgroup recently, so you obviously don't know how )often this question is asked. BTW, where were *you* to educate the )usre in a "less obnoxious" way when he asked the question? Or are you )only capable on nit-picking on other people's messages? I did not join this group recently. As I have already told you before, I have been on the net for about 3 years. I have seen you answer this question frequently, and in the same irritating obnoxious, arrogant manner. I just finally decided to say somthing about it. *I* was there to answer him -after- you because my feed took longer to get it to me than yours did to you. I -certainly- would have answered him, and not in this manner. )> Make him feel like an ignorant )> slob for asking a stupid question. Repeat after me: THERE ARE NO STUPID )> QUESTIONS, JUST UNASKED ONES. ) )Please quote the part of my article in which I said that it is a )stupid question. If you cannot - I demand a public apology. The )question was *not* stupid. If there is something stupid here, it is )the way SCAN reports such things... I responded to the tone, not the wording of your message. And you can certainly demand anything. In an earlier post to you, I -requested- an apology from you for what you have done. Also in an earlier post I apologized when I thought I was out of line, without request or demand. Unlike you, I -do- sometimes apologize when I am wrong. Now who is arrogant? I do not think I was wrong here, and I will not apologize for this. You could and should (in my opinion) have handled the requestor in a nicer manner. [deleted] )The information that I present here usually *is* correct. If you don't )like my presentation - feel free to present it better. Just be careful )not to let the correctness suffer. Then each reader will be able to )select the presentation they like. I believe that the information you present is usually correct, when factual in nature. I have caught you out a couple of times. Once I responded, I think. I think readers -already- select based on presentation. And so far the messages I have received from other than three persons on this net has been 100% in favor of my opinions and manner of expressing them. The wrangling notwithstanding, I respect your technical expertise, Vesselin. )> It should not be hard to write a utility which would )> read the boot sector off any cleanly formatted disc, fix up the BPB part )> of it and write it to the disc to be "disinfected". Maybe I'll do it. )> But not now, I'm working 14 hours per day as it is. Anyone else want to )> pick up the gauntlet? It would be a good thing! ) )Don't bother - it wouldn't be such a good thing. It relies on the user )being able to provide a diskette that it (a) not infected, (b) )bootable, and (c) formatted with the same version of the operating )system. While it might seem an easy thing to do, I know from )experience that many users are not able to do it. The OEM-supplied )solution that I proposed is much better; after all SYS already carries )an uninfected bootable boot sector for the right operating system... This is correct for (a), (b), and (c) (well, sort of for (c)). I have no personal experience with getting users to supply it, so I will defer to your experience on this matter. You say it is difficult, so I believe you. The reason I say sort of for (c) is that the version of the operating system is not really required. I believe that what you really need to know is the -names- of the hidden files. The actual version of the OS is not important. I agree that the OEM supplied solution would be superior. The names of the special hidden files are known etc. )> char *p="char *p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);} ) )Hmm... short, but not very portable. Assumes a computer with ASCII )charset. :-) How about the slightly longer ) )#define y(x)char*s=#x;x )y(main(){printf("#define y(x)char*s=#x;x\ny(%s)\n",s);}) ) )? :-)) Also cute. I prefer the one in my .sig because it is so short. I thought that particular .sig was especially appropriate for this newsgroup. I haven't tried yours, but it looks like it would work. Mike - ---- char *p="char *p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);} ------------------------------ Date: Thu, 01 Sep 94 02:06:18 -0400 From: jmccarty@spd.dsccc.com (Mike McCarty) Subject: Re: Need Help on "V-SIGN" virus (PC) Vesselin Bontchev wrote: )Mike McCarty (jmccarty@spd.dsccc.com) writes: [stuff deleted] )I see. Did you use high-capacity diskettes for your backup? No, I wanted to be able to use the backups to restore to more than one system, including one which had only 360K floppies. [deleted] )Now, tell me honestly - did you really know about the bug in the virus )that I mentioned? I'll tell you honestly - by now I don't remember what bug you are referring to. However, had you not deleted that info, I would have it now available to me to respond. )> Also, DOS BACKUP uses the entire disc. Thus it was not only likely, it )> was a _surety_ that the overwritten sectors of the disc would contain )> useful data even on a 360K floppy. Contrary to what you say. ) )Contrary to what I say?? Yes, contrary to what you said. Indeed contrary to what you said. Quite contrary to what you said. I quote: "What kind of backup did you use? Also, V-Sign is quite different from Azusa. When Azusa infects a floppy, it overwrites the sector at Track 39, Head 1, Sector 8. This is at the end of a 360 Kb floppy (thus unlikely - although possible - to destroy something). However, it is in the middle of a high-capacity floppy, thus almost certainly destroying information there." Note that you mentioned "backup" in the very paragraph. So you -knew- we were discussing backups. In this paragraph you specifically mentioned the very virus under discussion, Stoned.Azusa. You also specifically mentioned that on a 360K floppy corruption was unlikely. Oh, yes, distincly contrary to what you said. )Could you please quote me saying that when )DOS BACKUP is used it does not use the entire disk? Or that in this )case Azusa will not cause damage? No, in fact this is exactly why I )asked you what kind of backup software do you use. I know several )people who use ARJ to backup their disks on multi-volume archives, and )tell the archiver to make each of the volumes contain complete files )(i.e., no volume-spanning files) - in order to need only a single )volume to restore a particular file. In those cases there are often )empty spaces left at the end of the floppies. Depending on the floppy )disk size, Azusa might not destroy those. So now we are going from "unlikely to" to "might not". [more deleted] )This information *is* true. If you don't believe me - go familiarize )yourself with the V-Sign. Don't disbelieve you for a minute. I'm sure you are adequately informed. )> Any virus which overwrites any part of any disc can corrupt it in such a )> way that no disinfector can reverse the damage. ) )Yep. That's exactly why there ain't no such thing as a "harmless" )virus. Well, we agree there. At least for wild viruses. A virus disinfection trainer might be ok. Not completely sure about it. But see previous posts. Mike - ---- char *p="char *p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);} ------------------------------ Date: Thu, 01 Sep 94 08:23:00 -0400 From: clotsche@coh.fgg.EUR.NL (Pim Clotscher @ COH) Subject: Thunderbyte anti-virus - how good? (PC) Virus experts, Where can I get objective information about the thunderbyte anti-virus package? There was a review/test in Virus Bulletin of july 1994, but I have no access to that information. Can anybody tell the conclusion / strong points, weak points, etc.? I realize that I'm asking quite a lot .... with regards, Pim Clotscher Erasmus University Rotterdam - NL E.R.C. - Computer Support Hoboken E-mail (Internet): clotscher@coh.fgg.eur.nl ------------------------------ Date: Thu, 01 Sep 94 13:38:03 -0400 From: pein@informatik.tu-muenchen.de (Ruediger Pein) Subject: Re: HELP: trying to find cure for a unknown virus (PC) Gertjan_Vroon@f17.n310.z9.virnet.bad.se (Gertjan Vroon) writes: |> * In a message originally to All, Jeffrey W. Thompson said: [...] |> > When windows is booted or rather started up the system hangs. |> > If the system.ini file is tried to be written over the system |> > hangs. |> > If any .ini file is attempted to be edited the system hangs. [...] |> As I was you, I could bootup from a clean system disk, scan with a heuristic |> scanner like TBScan/TBAV or F-Prot and instal all the system files of Windows. |> Don't restore your backup!!! This backup is maybe already infected. And it doesn't have t be a virus... Perhaps only some bytes changed accidently on the hard disk. Ruediger Pein ------------------------------ Date: Thu, 01 Sep 94 14:49:16 -0400 From: twc0@gte.com (Thomas W. Christoffel) Subject: Virus - Russian 32 or 37? (PC) Has anyone encountered a virus called Russian 32 or Russian 37? Please E-mail me with details if you have. Tom Christoffel GTE Labs tchristoffel@gte.com thanks ------------------------------ Date: Thu, 01 Sep 94 16:11:22 -0400 From: groener@vt.edu (groener) Subject: Central Point Update? ---- FTP site? (PC) Does anyone know if Symantec has an FTP site so that I can get updates on the Virus signatures? ------------------------------ Date: Thu, 01 Sep 94 20:59:18 -0400 From: 917318@edna.cc.swin.edu.au (Kim Oliver Hennig) Subject: Help Filler virus (PC) Hi there can anyone tell me anything about the filler virus. I get the filler virus in memory after i format a floppy boot disk, this is the only way i can get the virus into memory but when i scan the drives nothing is found please help kim ------------------------------ Date: Thu, 01 Sep 94 21:05:56 -0400 From: mcafee@netcom.com (McAfee Associates) Subject: Re: Possible undetectable virus?? (PC) Hello Mr. Beauchamp, I usually reply directly to messages posted in comp.virus, but I thought the reply might be of interest to other people. jamesb@osuunx.ucc.okstate.edu (James Beauchamp) writes: > I may have a virus undetectable by mcafee117. When I try to >read a text file from the 3.5 floppy with the write protect open, I >get the message "write protect failed......a)bort...etc...". Well, that could mean that a virus is trying to write to the disk, but... > > This has never appeared, and should not to my knowledge. I >then activated Vsafe to block floppy boot sector writing, closed the >write protect, and upon retry, recieved an intermediate pipe error. [...deleted...] .you are getting a pipe error, which more than likely means that DOS is trying to redirect the output of one command, say TYPE, to another, say MORE, with the pipe "|" redirector and failing. Why is this? Well, when DOS redirects the output of one command to another, it creates a temporary file in the current drive/directory to store the output of the first command. To avoid this in the future, try setting the TEMP variable to a `scratch` directory in your AUTOEXEC.BAT file. This tells DOS to put temporary files created by file redirection in that directory. For example, create a directory named "C:\TEMP" and then add the line "SET TEMP=C:\TEMP" to your AUTOEXEC.BAT. That should take care of things. If not, please let me know by email. Regards, Aryeh Goretsky Technical Support - -- - - - - - - - Please send your reply, if any, to Aryeh@McAfee.COM - - - - - - McAfee Associates, Inc. | Voice (408) 988-3832 | INTERNET: mcafee@netcom.com 2710 Walsh Ave, 2nd Floor| FAX (408) 970-9727 | or try: support@mcafee.com Santa Clara, California | BBS (408) 988-4004 | CompuServe ID: 76702,1714 95051-0963 USA | USR HST Courier DS | or GO MCAFEE Support for SENTRY/SCAN/VSHIELD/CLEAN/WSCAN/NETSHLD/TARGET/CONFIG MGR/PROVIEW ------------------------------ Date: Thu, 01 Sep 94 21:11:44 -0400 From: mcafee@netcom.com (McAfee Associates) Subject: Re: McAfee Virus Scan (PC) Hello Mr. Foelling, yngvar@vestnett.no (Yngvar Foelling) writes: >I have a problem with McAfee's VSHIELD 2.10e (unregistered version). >When it starts up, it keeps detecting viruses at random in the area >640-720 kB. This is, of course, the screen buffer, but since the screen >is in text mode when it runs, most of the memory should be disabled. > >I'm almost certain that they are false positives. SCAN doesn't detect >any viruses there, and VSHIELD detects *different* viruses every time. [...deleted...] We are investigating this now and should have a fix available for testing later this month. Regards, Aryeh Goretsky - -- - - - - - - - Please send your reply, if any, to Aryeh@McAfee.COM - - - - - - McAfee Associates, Inc. | Voice (408) 988-3832 | INTERNET: mcafee@netcom.com 2710 Walsh Ave, 2nd Floor| FAX (408) 970-9727 | or try: support@mcafee.com Santa Clara, California | BBS (408) 988-4004 | CompuServe ID: 76702,1714 95051-0963 USA | USR HST Courier DS | or GO MCAFEE Support for SENTRY/SCAN/VSHIELD/CLEAN/WSCAN/NETSHLD/TARGET/CONFIG MGR/PROVIEW ------------------------------ Date: Thu, 01 Sep 94 22:06:54 -0400 From: mcafee@netcom.com (McAfee Associates) Subject: Re: Server-downing virii (PC) Hello Mr. Esquivel, I cannot seem to locate the original message, but will be my best to reply to your question. While I usually answer the poster directly, I am replying to your message via comp.virus since other people may be interested in the reply. "Fabio Esquivel C." writes: >OK, Fran excuses himself 'cause he doesn't know all the details why the >PC Support group in their headquarters issued the warning about not=20 >using McAfee's NetShld.NLM on a Novell Server. > >But... what does McAfee have to say about this? Has McAfee experienced >such corruption on their own Novell servers when testing the product >before they put it on their FTP node? Was it a bug on a single old >version, already fixed on current versions? Or what? NetShield Version 1.5x had a problem with its checksumming option in that it would treat the Novell NetWare bindery files as having been modified by a virus and then perform a user-selectable action on them (move, delete, or leave-alone) when certain tape-backup software was run on the server. This was fixed in NetShield Version 1.60. If anyone is running a version of NetShield prior to Version 1.60, I would recommend they upgrade their server as soon as possible to the current version. NetWare bindery files are data files which contain account information about the users on a server. They do not contain any executable code, but their names end with a three-character extension of .SYS, which is typically used in the DOS world to indicate device drivers. > >I think it's important to know if NetShld.NLM is potentially dangerous >if loaded on a Novell server, which is a file (data, programs, etc.) server. > >If it does corrupt databases (I don't know why would it do so), then people >already running this software is in danger... I think I have answered your question, at least to the best of my knowlege given that I cannot find the original post. If you do have any further questions, please email me directly at aryeh@mcafee.com. Regards, Aryeh Goretsky Technical Support - -- - - - - - - - Please send your reply, if any, to Aryeh@McAfee.COM - - - - - - McAfee Associates, Inc. | Voice (408) 988-3832 | INTERNET: mcafee@netcom.com 2710 Walsh Ave, 2nd Floor| FAX (408) 970-9727 | or try: support@mcafee.com Santa Clara, California | BBS (408) 988-4004 | CompuServe ID: 76702,1714 95051-0963 USA | USR HST Courier DS | or GO MCAFEE Support for SENTRY/SCAN/VSHIELD/CLEAN/WSCAN/NETSHLD/TARGET/CONFIG MGR/PROVIEW ------------------------------ Date: Fri, 02 Sep 94 08:50:51 -0400 From: vollmerm@fh-nuertingen.de (Michael Vollmer) Subject: Info need on Hasita / J&M virus (PC) I need infos about the virus Hasita / Genp (so called by McAfee SCAN) or J&M (so called by F-Prot)? Who can help me? Michael Vollmer FHS N=81rtingen Germany ------------------------------ Date: Fri, 02 Sep 94 12:22:50 -0400 From: pnd2@ukc.ac.uk Subject: Honecker ??? (PC) Believe there is a virus out called Honecker. Is this true? Heard tell that it is somewhere in the Eastern part of Germany, meaning the old East Germany. So, if TRUE, what does it do. Which scanners can detect the virdude? Cheers, Prem D. ( Another cool hippy frood ! ) - -- Premkumar N. Devadason Dept. Of Comp. Science Res. Ph : +44-227-763847 ,__o University of Kent _-_>/_, at Canterbury.(U.K.). (*)/'(*) ------------------------------ Date: Mon, 22 Aug 94 11:13:00 +0200 From: Amir_Netiv@f120.n9721.z9.virnet.bad.se (Amir Netiv) Subject: Lenart? or CPAV blof. (PC) bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) writes: > While CPAV is indeed a pile of junk, I have never seen > it doing what you describe - reporting a perfectly innocent floppy > disk as infected. Can you send me an *uninfected* floppy on which CPAV > finds the Lenart virus? I bet you can't. Don't be so arrogant. And don;t bet too much (though it's easy with words) ;-) And if I can give you a floppy like this will you eat it as a gesture of you'r being wrong? If you say yes I'll send you one and ask for a video of the meal 8-) Just for your information Eli Shapira (you know who that is, right?) wrote in another news group in a message to Israel Radai that indeed CPAV (of all it's variants probably) DID false alarm on innocent floppies. I'd say that backs my posting pretty well. AN>> I'm afraid... Hmmm...no actually I'm happy, to tell you AN>> that you probably had nothing there, but now you do! > You are wrong. There is a particular virus (AntiEXE or > AntiCMOS, not sure which one) that is detected as > "Lenart" by CPAV. Again: I'm still not sure i'm wrong, and so does the user. However on one thing we both agree > now has a screwed up boot sector, because of CPAV's sloppines. As for that: > I really expected you to be more knowledgeable. > Is the quality of your product as "good" as your advices? I'd really expect you to be more proffesional as you try to seem writing trivial answers to constantly repeating posts of the same sort. But it seems you are too busy playing a critic rather then spend some time on virus reality. As shown above... you really allow yourself a little too much, being so arrogant don't you?. And I don't recall ever seeing any Anti Virus of your production. It sure is so much easier to criticize everyone. Let's see you do something more productive ;-) However (Still) warm regards * Amir Netiv. V-CARE Anti-Virus, head team * - --- * Origin: <<< NSE Software >>> Israel (9:9721/120) ------------------------------ Date: Mon, 22 Aug 94 10:43:00 +0200 From: Amir.Netiv@f120.n9721.z9.virnet.bad.se (Amir Netiv) Subject: Fixing the boot sector of a floppy? (PC) rtulloch@lynx.dac.neu.edu (renrick tulloch) asks: > Alot of are floppies were infected by the Genb > and Genp virus, which effects the boot sector. > Is there a way to overwrite th boot sector of > the floppy with out deleting the contents of the disk. > EX: I know you can fix the boot sector of the hard > drive with the command fdisk /mbr but is there a command for > diskettes that will do this? The command FDISK /MBR does NOT restore the Boot Sector of the Hard Drive but only the Master Boot Record (also known as Partition Table). The only thing that has an impact on Boot Sectors (of both floppies and disks) is the command SYS ?: This will rewrite the original Boot Sector. However keep in mind that in some cases a special part in the boot sector (known as Bios Parameter Block = BPB) is scrambled. In this case SYS will not restore access to the disk/floppy, however the virus WILL be destroyed. For disks: the same might happened with FDISK /MBR. The guding role is: - ---------------------------------------------------------- If you can see drive C: after you boot the PC from a clean DOS floppy, (even if it doesn't boot from the disk) FDISK /MBR will work! - ---------------------------------------------------------- Hope it helps warmly * Amir Netiv. V-CARE Anti-Virus, head team * - --- * Origin: <<< NSE Software >>> Israel (9:9721/120) ------------------------------ Date: Fri, 19 Aug 94 22:32:04 +0200 From: Rinse_Balk@f7.n316.z9.virnet.bad.se (Rinse Balk) Subject: Best Anti-virus software (PC) Hello ohe@allianse.no! 30 Jun 94 14:58, ohe@allianse.no wrote to All: on> Were trying to figure out the best Anit-virus software for both on> Netware server's (NLM's) and DOS/Windows workstation. In the latest edition of Byte is a NLM av test.. Someone else has my edition, so i can't give you the results. I can remember that they weren't very pleased with Netshield. on> Thank you. Greetz, Rinse - --- FMail 0.96b * Origin: It's All Or Nothing * Sa&Su 10:00-21:00 * 05126-2412 (9:316/7) ------------------------------ Date: Fri, 19 Aug 94 22:38:05 +0200 From: Rinse_Balk@f7.n316.z9.virnet.bad.se (Rinse Balk) Subject: Stealth.B Pain (PC) Hello Rudy! 30 Jun 94 14:58, Rudy A Davis" wrote to All: RAD> Central Point Anti-Virus version 1.5 does not even recognize RAD> this virus. CPAV is one of the worst A/V programmes. At least, it was. I don't know what the newest version is like... RAD> Norton Anti-Virus 3.0 recognizes it but requires a RESCUE disk. RAD> I am trying my RESCUE disk but it appears that my RESCUE disk RAD> is also now infected. Norton A/V is also not one of the best a/v programme's. RAD> Questions: RAD> 2) Anyone have any suggestions about an Anti-Virus program RAD> which will take care of this virus dynamically without RAD> having to re-install DOS ? I use Thunderbyte Anti-Virus and F-Prot. I think these two can be considered to be one of the best a/v software packages around. RAD> 3) Where is a published listing of people who write viruses RAD> so that I may wish bad things toward them by name ? Well, I know a few guys. But they SAY that they don't spread virusses. Only write them. RAD> Thanks and regards, RAD> RAD Greetz from Beetsterzwaag (friesland), Rinse - --- FMail 0.96b * Origin: It's All Or Nothing * Sa&Su 10:00-21:00 * 05126-2412 (9:316/7) ------------------------------ Date: Fri, 19 Aug 94 23:01:06 +0200 From: Rinse_Balk@f7.n316.z9.virnet.bad.se (Rinse Balk) Subject: Thunderbyte Antivirus (PC) Hello Bill! 05 Jul 94 17:15, Bill Lambdin wrote to All: BL> from my tests, TBAV's scanner is of equal quality to F-prot. And, extremely fast.... BL> Bill Lambdin Greetz from Beetsterzwaag (friesland), Rinse - --- FMail 0.96b * Origin: It's All Or Nothing * Sa&Su 10:00-21:00 * 05126-2412 (9:316/7) ------------------------------ Date: Fri, 19 Aug 94 23:06:07 +0200 From: Rinse_Balk@f7.n316.z9.virnet.bad.se (Rinse Balk) Subject: Possible virus? (PC) Hello! 05 Jul 94 17:15, slb96@cc.usu.edu wrote to All: sue> Forgive me if this is not a virus, but I feel that it is. Let's have a look... sue> About 5 or 6 sue> months ago I turned my computer on and got an error, HD Controller Error. sue> Since then, I have been needing to boot off a floppy drive (I have a sue> program which redirects the bootup to the C drive). After such boot, did you ever use a test program programm? Like CheckIt. I mean, did you ever check the computer with software? sue> So, I called up the sue> local computer places and asked their opinions. They told me to buy a sue> new controller card (which makes sense), so I did. That didn't seem to sue> fix the bug. That's the logical solution... sue> Then they said to try a format, which I did. Still no sue> luck. Well, a virus is wiped of the disk when it's formated. When you reboot after the format the disk is clean. So no virus can be loaded. If there was a virus in memory, a boot would terminate it. (At least, a 'cold' boot would do the trick). sue> After that I also tried a new HD, but that did not work either. I think that it's imposible to have a virus on a hd that is never used. sue> At last I broke down and took the computer in. They couldn't figure out sue> what was wrong. So, I though it was just some freakish problem.. until sue> tonight. That's what i think sofar ;-) sue> I was at a friends house and he too was having the same sue> problem. When I asked him how long it had been doing it, he told me sue> around 4 or 5 months. I have now been up for around 5 hours reading sue> docs, the FAQ for this group, and asking questions on IRC. So I guess it sue> all boils down to this question, Might I have a virus? Does your friend has the same type computer you have?? If so, mabey it's a manufacterer error or something like that.. sue> I don't know much sue> about viruses, so don't flame me too much. :-) THanks for any help. Greetz from Beetsterzwaag (friesland), Rinse - --- FMail 0.96b * Origin: It's All Or Nothing * Sa&Su 10:00-21:00 * 05126-2412 (9:316/7) ------------------------------ Date: Thu, 01 Sep 94 10:32:02 -0500 From: spaf@cs.purdue.edu (Gene Spafford) Subject: Re: Tripwire V1.2 Release (Finally!) On Tue, 30 Aug 1994 10:14:32 -0500 I wrote: > [...] > > A mailserver exists for distribution and to provide a means of > reporting bugs. To use the mail server, send e-mail to > "tripwire-request@cs.purdue.edu" with a message body consisting solely > of the word "help". The server will respond with instructions on how > to get sources, patches (if any are issued), and how to report a bug > (which we hope doesn't happen!). That was a typo. I thought I had deleted it. It was supposed to have read: Sorry about the confusion. - --spaf ------------------------------ Date: Thu, 01 Sep 94 22:26:30 -0400 From: Joe Wells <0004886415@mcimail.com> Subject: September 1 WildList (PC) ============================================================================ PC Viruses in the Wild - September 1, 1994 ============================================================================ This is a cooperative listing of viruses reported as being in the wild by 16 virus information professionals. The basis for these reports are virus incidents where a sample was received, and positively identified by the participant. Rumors and unverified reports have been excluded. The list should not be considered a list of "currently common" viruses however. No provision is made for commonness. A currency basis for the list has been set. Viruses not reported for over a year are removed. This data indicates only "which" viruses have been found in the wild. ============================================================================ The section below gives the names of participants, along with their organization, antivirus product (if any), and geographic location. Key Participant Organization Product Location ============================================================================ As Alan Solomon S&S Int'l Toolkit UK Dc Dave Chess IBM IBM AntiVirus USA Ek Eugene Kaspersky KAMI AVP Russia Fb Fernando Bonsembiante Virus Report None Argentina Fs Fridrik Skulason Frisk Int'l F-Prot Iceland Gj Glenn Jordan Datawatch VirexPC USA Jw Joe Wells Symantec NAV USA Pd Paul Ducklin CSIR Virus Lab None So Africa Pp Padgett Peterson Hobbyist DiskSecure USA Rf Richard Ford Virus Bulletin None UK Rh Richard Head Jade Corp Scan Vakzin Japan Rr Roger Riordan CYBEC VET Australia Sg Shimon Gruper EliaShim ViruSafe Israel Vb Vesselin Bontchev U of Hamburg None Germany Ws Wolfgang Stiller Stiller Research Integ Master USA Yr Yuval Rakavi BRM Untouchable Israel ============================================================================ The first chart is based on two or more participants reporting a virus. Therefore, these viruses are probably more geographically scattered. CARO Name of Virus AsDcEkFbFsGjJwPdPpRfRhRrSgVbWsYr Alias(es) ============================================================================ AntiCMOS.................| . x . . x . x . . . . . . . . x | Lenart AntiEXE.A................| x x . . x x x x . . . . . x . x | D3,Newbug Baclab...................| . . . . . . x . x . . . . . . . | Barrotes.1310.A..........| x . . . . . x . . . . . . . . . | Barrotos Boot-437.................| . . . . x . x . . . . . . . . x | BootEXE.451..............| . . . . x . . . . x . . . . . . | BFD-451 Brasil...................| . . . . . . x . x . . . . . . . | Butterfly.Butterfly......| . . . . . . x . . . . . . x . x | Cascade.1701.A...........| x x . x x x . . . x x . x x . . | 1701 Cascade.1704.A...........| x x x . x . x . . . . . x x . . | 1704 Changsha.A...............| . . . . . . . . . . x x . . . . | Centry Chinese_Fish.............| x . . . x x x . . . . x . x . x | Fish Boot CPW.1527.................| x . . . . . x . x . . . . . . . | Mediera,Mierda Dark_Avenger.1800.A......| x x . x x x x . . x x x . . x . | Eddie Datalock.920.A...........| x x . . . . x . . . . . x . . x | V920 Dir-II.A.................| x x x x x . x x . x x x x x x x | Creeping Death Disk_Killer.1_00.........| x . x . . . . . x x . . x . . . | Ogre EXE_Bug.A................| x . . . x . x x . x . . x . x . | CMOS Killer EXE_Bug.C................| . . . . . . . x . . . . x . x . | Fichv.2_1................| x . . . x . . . . . . . x x . . | 905,CHV 2.1 Filler.A.................| . . . . . x x . . . . . . . . . | Flame....................| . . . . . . x . . . . x . x . x | Stoned(3C) Flip.2153.A..............| x x . x x . x . . x x . x . . x | Omicron Flip.2343................| x . . . x . . . . . . . . . . . | Omicron 2 Form.A...................| x x . x x x x . x x x . x x x x | Form 18 Form.D...................| . . . . x . x . . . . . . . . x | Form May Freddy_Krueger...........| . . . . x . x . . . . . . . . x | Freddy 2 Frodo.Frodo.A............| x . . x x . x . . . x x x x . x | 4096,100 Year Ginger...................| . . . . . . x . . . . x . . . . | Gingerbread Green_Caterpillar.1575.A.| x x . . x x x . . x x x x x x . | Find,1591,1575 Helloween.1376.A.........| x . . . . . x . . x x x . . x x | 1376 Hidenowt.................| x . . . . . x . . x . . . . . . | Jerusalem.1808.Standard..| x x . x x x x x x x x . x . x x | 1808,Israeli Jerusalem.Anticad.4096.B.| x . . . x . . . . . . . x . . . | Invader Jerusalem.Mummy.2_1.A....| x . . . x . . x . . x . x . . . | PC Mummy Jerusalem.Sunday.A.......| . . . . . . . x . . x . . . . . | Sunday Jerusalem.Zero_Time.Aust.| x x . . . . . . . . . x x . x . | Slow Joshi.A..................| x x . . x x x . x x x x x x x x | Jumper...................| x . . . x . x . . . . . . x . x | French Boot Junkie...................| . . . . x . . . . . . x . x . . | Kampana.A................| x x . x x x x . . x x . . . x . | AntiTel,Telecom Kaos4....................| . . . . x . x x . . . . . . . . | Keypress.1232.A..........| x x . . . . . . . x x x x . x x | Turku,Twins Lemming..................| . . . . . . x . . . . x . . . . | Liberty.2857.A...........| . x . . x . x . . x x . . . x x | Mystic,Magic Little_Red...............| . . . . . x x x . . . . . . . . | Red Book Maltese Amoeba...........| x x . . x . . . x x . . x . x x | Grain of Sand Music_Bug................| . . . . x x . . x . . . . . x . | NJH2LBC.A................| x . . . . . . . . . . . . . . x | Korea Boot No_Frills.Dudley.........| x . . . . . . . . . . x . . . . | Oi Dudley No_Frills.No_Frills.843..| . . . . . . x . . . . x . . . . | Nomenklatura.A...........| x x . . . . . . . . . . . . . . | Nomen November_17th.855.A......| x x . . x . x . . . . . . . . . | V855 NPox.963.A...............| . . . . x . x . . . . . . . . . | Evil Genius NYB......................| . . . . x . x . . . . . . . . x | B1 Ontario.1024.............| . x . . . . . . . . . x x . . . | SBC,1024 Parity_Boot.B............| x x . . x . x x . x x . . x . . | Generic 1 Pathogen:SMEG.0_1........| x . . . . . . . . x . . . . . . | Ping_Pong.B..............| x x . x . . . . . x . . x . x x | Italian Predator.2448............| . . . . x . x . . . . . . . . . | 2448 Print_Screen_Boot.A......| x x . . . . x . . . . . . . . x | India,PrnSn QRry.....................| . x . . . . x . . . . . . . . . | Query,Quarry Quox.....................| . x . . x . x . . . . . . . . . | Stealth 2 Ripper...................| x x . . x . x . . . . . . . . . | Jack Ripper Sat_Bug.Natas............| x . . . x . x . . . . . . x . . | Satan Sat_Bug.Sat_Bug..........| . . . . . . x . . . . . . . . x | Satan Bug Sayha....................| . . . . . . x . . . . . . . . x | Screaming_Fist.II.696....| x x . . . x x . . . . . . . x . | Fist 2,Scream 2 Sleep_Walker.............| . . . . . . x . . . . x . . . . | Stardot.789.A............| . x . . . . x . . . . . . . . . | 805 Stealth_Boot.B...........| . x . . . . x . x x . . . x . . | STB Stealth_Boot.C...........| . . . . . x . . . . . . . x . . | Stoned.16.A..............| x x . . . . x . . . . . . . . x | Brunswick Stoned.Azusa.A...........| x x . . x . x x x . x x x . x x | Hong Kong Stoned.Bunny.A...........| . . . . . . . x . . . . . . x . | Stoned.Dinamo.*..........| . . . . . . x . . . . . . . . x | Stoned.Empire.Monkey.A...| . x . . . . x . . . . x . . . . | Monkey Stoned.Empire.Monkey.B...| x x . . x x x x x x . x . x x . | Monkey 2 Stoned.June_4th.A........| x . . . . x x . . . x x . x x x | Bloody!,Beijing Stoned.Lzr...............| . x . . x . x . . . . . . . . x | Stoned.Whit Stoned.Manitoba..........| . x . . x . x . . . . . . . . . | Stonehenge Stoned.Michelangelo.A....| x x x x x x x x x x x x x x x x | Stoned.No_INT.A..........| x x . . x x x x . x . x . . x x | Stoned Stoned.Standard.A........| x . x x x x x x x x x x x x x . | New Zealand Stoned.Swedish_Disaster.A| x . . . . x . . . . . . . . . . | Stoned.W-Boot............| . . . . . . x . . . . x . . . x | W-Boot SVC.3103.A...............| x . x . . . x . . . x . x . . . | SVC 5.0 Tai-Pan..................| . . . . x . . . . . . . . x . . | Tequila.A................| x x . . x . x . . x x . x x x x | Three_Tunes.A............| . . . . . x x . . . . . . . . . | 1784 Tremor.A.................| . . . . x . . x . x . . . x x . | Trojector.1463...........| . . . . x . x . . . . . . . . . | Athens V-Sign...................| x x . . x x x . . x x x x x x x | Cansu,Sigalit Vacsina.TP-05.A..........| x x . . x x x . . x x . . . x . | RCE-1206 Vacsina.TP-16.A..........| x x . . x . . . . . . . . . . . | RCE-1339 Vienna.648.Reboot.A......| x x x . . . . . . . . . . . . . | DOS-62 WXYC.....................| . x . . . . x . . . . . . . . . | Yankee Doodle.TP-39......| x . . . x . . . . . . . . . . . | RCE-2772 Yankee Doodle.TP-44.A....| x . x . x . x . . x x . . x . . | RCE-2885 Yankee Doodle.XPEH.4928..| . . . . x . . . . . . . . . . x | Micropox ============================================================================ Total for first list: 100 ============================================================================ The second chart is based on a single participant noting more than one infection site and may signify limited regional virus outbreaks. CARO Name of Virus AsDcEkFbFsGjJwPdPpRfRhRrSgVbWsYr Alias(es) ============================================================================ 5lo......................| . . . . x . . . . . . . . . . . | Bad_Sectors.A............| . . . . . . . . . . . . . . . x | Cascade.1701.G...........| . . . . . . . . . . . . . x . . | 1701 Cascade.1704.D...........| . . . . x . . . . . . . . . . . | 1704 Chill....................| . . . . . . x . . . . . . . . . | Chill Touch Coffeeshop:MtE...........| . . . . . . . x . . . . . . . . | Corgi....................| x . . . . . . . . . . . . . . . | Danish_Tiny.467..........| . . . . x . . . . . . . . . . . | Dark_Avenger.2100.SI.A...| x . . . . . . . . . . . . . . . | V2100 Datalock.828.A...........| . . . . . . . . . . . . . . . x | Den_Zuko.2.A.............| x . . . . . . . . . . . . . . . | Den Zuk Diamond.1024.B...........| . . . . x . . . . . . . . . . . | DOS_Hunter...............| . x . . . . . . . . . . . . . . | Emmie.3097...............| . . . . . . . . . . . . . . . x | EXE_Bug.B................| . . . . . . . x . . . . . . . . | EXE_Bug.Hooker...........| . . . . . . . x . . . . . . . . | Finnish.357..............| . . . . x . . . . . . . . . . . | Finnish_Sprayer..........| . . . . x . . . . . . . . . . . | Freddy_Soft..............| . . . . x . . . . . . . . . . . | Galicia..................| . . . . . . x . . . . . . . . . | Telecom Gippo.Epidemic...........| . . . . . . x . . . . . . . . . | Gippo.JumpingJack........| . . . . . . . . . . . . . . . x | Hafenstrasse.*...........| . . . . . . . . . . . . . x . . | Hafen Hi.460...................| . . . . . . . . . . . . . . . x | Hi HLLC.Even_Beeper.B.......| x . . . . . . . . . . . . . . . | HLLC.EXE_Engine..........| . . . . . . . . . . . . . x . . | HLLO.Novademo.*..........| . . . . x . . . . . . . . . . . | HLLC.Sauna...............| . . . . x . . . . . . . . . . . | Ibex.....................| . . . . . . x . . . . . . . . . | Seven_Boot Involuntary.*............| . . . . . . x . . . . . . . . . | Invol Japanese_Xmas.*..........| . . . . . . . . . . x . . . . . | Xmas in Japan Jerusalem.1244...........| x . . . . . . . . . . . . . . . | 1244 Jerusalem.1808.Blank.....| . . . . x . . . . . . . . . . . | Jerusalem.1808.Critical..| . x . . . . . . . . . . . . . . | Jerusalem.1808.F.........| . . . . x . . . . . . . . . . . | Jerusalem.Anticad.4096.A.| . . . . . . . . . . . . . x . . | Plastique Jerusalem.Carfield.......| x . . . . . . . . . . . . . . . | Jerusalem.Fu_Manchu.A....| x . . . . . . . . . . . . . . . | 2080,2086 Jerusalem.Sunday.II......| . x . . . . . . . . . . . . . . | Sunday 2 Jihuu.686................| . . . . x . . . . . . . . . . . | Joshi.B..................| . . . . . . x . . . . . . . . . | Keypress.1744............| . . . . . . . . . . . . . . . x | Lame_Surprize.B..........| x . . . . . . . . . . . . . . . | Lamsurp.B Little_Brother.307.......| . . . . x . . . . . . . . . . . | MIREA.1788...............| . . x . . . . . . . . . . . . . | Lyceum,Lycee MISiS....................| . . . . . . . . . . . . . . . x | Zharinov,NIKA Necropolis.*.............| . . . . . . . . . . . . . . . x | 1963 Necros...................| x . . . . . . . . . . . . . . . | Gnose,Irish3 Nice.B...................| . . . . x . . . . . . . . . . . | November_17th.800.A......| . . . . . . x . . . . . . . . . | Jan1, 800 Number_of_the_Beast.E....| . . . x . . . . . . . . . . . . | 512,666 Parity_Boot.A............| . . . . . . . . . . . . . . x . | Peter....................| . x . . . . . . . . . . . . . . | Peter II Pro......................| . . . . . . x . . . . . . . . . | KMIT Queeg:SMEG.0_1...........| x . . . . . . . . . . . . . . . | Quit.A...................| x . . . . . . . . . . . . . . . | 555,Dutch Riihi....................| . . . . x . . . . . . . . . . . | SillyC.377...............| . . . . . . . . . . . . . . . x | SillyCR.351..............| . . . . . . . . . . . . . . . x | Stoned.Bravo.............| . . . . . . . x . . . . . . . . | Stoned.Empire.Int_10.B...| . . . . . . . . x . . . . . . . | Stoned.Michelangelo.K....| . . . . . . . . . . . . . . . x | Stoned.New_Zealand.......| . . . . . x . . . . . . . . . . | Stoned.NOP...............| . . . . . . . . . . . . . . x . | NOP Storm.1218...............| . . . . . . . . . . . . . . . x | SVC.2936.................| . . . . . . x . . . . . . . . . | SVC.3241.................| . x . . . . . . . . . . . . . . | Swiss_Boot...............| . . . . x . . . . . . . . . . . | Swiss Army Swiss_Phoenix............| . . . . . . . . . . . . . . . x | Sibylle..................| x . . . . . . . . . . . . . . . | Sword....................| x . . . . . . . . . . . . . . . | Tikka....................| x . . . . . . . . . . . . . . . | Trakia.*.................| . . . . . . . . . . . x . . . . | Virogen.Pinworm..........| . . . . . x . . . . . . . . . . | Vmem.....................| . . . . . . . . . . . . . . . x | Voronezh.1600.A..........| . . x . . . . . . . . . . . . . | RCE-1600 ============================================================================ Total for both lists: 176 ============================================================================ The collation of this material is done by Joe Wells, Virus Specialist at Symantec, Peter Norton Group, who is solely responsible for its contents. The material presented is implicitly copyrighted under various laws, but may be freely quoted or cited. However, its source and cooperative nature should be duly referenced. Feel free to distribute this list. Other antivirus product developers are invited to participate in the list. If you wish to do so, please contact me. ============================================================================ The WILDList by Joe Wells -- jwells@symantec.com -- 70750,3457 -- Vol2.09 ============================================================================ ------------------------------ Date: Sun, 04 Sep 94 02:05:54 -0400 From: tyetiser@gl.umbc.edu (Mr. Tarkan Yetiser) Subject: vds30p.zip - AV package w/scanner, integrity checker etc. (PC) I have uploaded to the SimTel Software Repository (available by anonymous ftp from the primary mirror site OAK.Oakland.Edu and its mirrors): SimTel/msdos/virus/ vds30p.zip AV package w/scanner, integrity checker etc. VDS 3.0p is a comprehensive anti-virus package with a fast scanner, robust integrity checker, decoy launcher, generic remover, excellent network support and an easy-to-use user interface. It also includes a low-level disk utility to effectively deal with boot sector viruses. Special requirements: None vds30p.zip has replaced vds30m.zip. ShareWare. Uploaded by the author. Tarkan Yetiser tyetiser@cyberia.com ------------------------------ End of VIRUS-L Digest [Volume 7 Issue 78] *****************************************