VIRUS-L Digest Monday, 3 Oct 1994 Volume 7 : Issue 79 Today's Topics: Virus Info Suggestions-anti-virus kit? Advice sought Re: Netcom distributing viruses Re: Anyone heard of a virus for a SCO XENIX system? (UNIX) re: MBR Virus and OS/2 with HPFS (OS/2) changing genP/genB virus (PC) Info on Anti-Virus packages (PC) Re; backform/FAQ (PC) Jack the Ripper virus: Does a remover exist anywhere??? (PC) Possible New Virus (PC) Re; KOH (PC) Possible New Virus (PC) Re; HELP FKRUEGER (PC) symptoms: Insufficient mem to shell to DOS (PC) Re; Has anyone had the sigilit virus? (PC) Non-virulent self replicating programs (PC) ThunderByte 6.23 (PC) AVP V 2.0 (PC) New Virus? (PC) Monkey.Stoned virus on multimedia 486 won't go away... (PC) spread of UUENCODEd virus in Fido virus echoes (PC) HP's "Survey" floppy [VForm] (PC) Secret Virus? (PC) Help ! virus infected. (PC) Help ! Anti Thunderbyte (PC) Info needed on Little Red Virus (PC) Mutation Engine (PC) VDS ?? (PC) ANTI-EXE What does it Do. (PC) V-Sign Virus (PC) Nops virus? (PC) Re: backform/FAQ (PC) Re: F-Prot scans UMBs ??? (PC) Re: Need Help With Trident Virus (PC) Re: BSVs and F-PROT/VIRSTOP (PC) Re: VIRUSCAN 2.x gripes & grumbles (PC) Re: GenB virus - Need Help (PC) Re: Need Help With Trident Virus (PC) What is KAOS4 (PC) Utility to Test Memory Resident Anti-Virus Scanners (PC) Anouncement: French Computer Criminality Research Center tbav - Thunderbyte anti-virus v6.24 (Complete/Windows/Optimized) (PC) Re: Rosenthal Virus Simulator VIRSIM2C.ZIP (PC) Re: Rosenthal Virus Simulator (VIRSIM2C.ZIP) (PC) VIRSIM Test (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CORSA.UCR.EDU (IP number 138.23.166.133) or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CORSA.UCR.EDU. Administrative mail (e.g., comments, suggestions, beer recipes) should be sent to me at: krvw@ASSIST.MIL. All submissions should be sent to: VIRUS-L@Lehigh.edu. Ken van Wyk ---------------------------------------------------------------------- Date: Tue, 06 Sep 94 10:16:10 -0400 From: loomi@gatecoms.gatecom.com (Chris Allumi) Subject: Virus Info Can anyone give me some info on books that explain viruses/virii (whichever you prefer.) I'll be doing an independent study at school this year concerning virus detection etc and need a good place to begin researching. Thanks. ------------------------------ Date: Fri, 09 Sep 94 22:52:00 -0400 From: rickker@aol.com (Rickker) Subject: Suggestions-anti-virus kit? I am new to the world of viruses, and am looking for some help in choosing a virus toolkit. I do service work on people's computers and would like to add virus protecting/detection/remove to my repetoir. Any recommendations will be greatly appreciated. Thanks, Rick C. ------------------------------ Date: Mon, 12 Sep 94 08:40:10 -0400 From: kontoudi@aphrodite.uoregon.edu (Dimitris Kontoudis) Subject: Advice sought Greetings, Can someone, please give an answer to my simple question ? What is the best anti-virus package available (either public domain or commercial) ? Thanks for your time. Regards, Dimitris. PS. Please reply to the address ``kontoudi@ics.forth.gr'' and I will summarize and post the answers. - -- DIMITRIS KONTOUDIS | Internet : kontoudi@ics.forth.gr ICS - FORTH | Science and Technology Park of Crete, | Tel. : (+30) 81 391746, P.O. Box 1385, Voutes, Heraklion, | (+30) 81 391745. GR - 71110, Crete. | Fax. : (+30) 81 391740. ------------------------------ Date: Mon, 12 Sep 94 19:19:29 -0400 From: ygoland@hollywood.cinenet.net (Yaron Y. Goland) Subject: Re: Netcom distributing viruses > It is a crime to let a virus loose on someone else's computer. It is not >a far step, nor is it a break with the existing philosophy of our laws, to >make it illegal to ditribute the virus randomly to others - since a >reasonable person knows that some of those others will let it loose. A virus is nothing more than a set of bits and if I release it to someone who knows what it is then they assume responsiblity for what they do with it. In certain cases, where the receiving party is not competant, other laws may hold. This is why alcohol can not be served to minors or guns sold to felons. However the virus case is even harder to deal with. If I take a viral code in assembly, print it out, scan it, and then release a GIF of the paper would I commit a felony by giving out that GIF? What if I give a speech on the corner where I read out the viral code? What if I print out the code and sell it as a book? We can not draw a line at distributing viruses in inert form as to do so is a fundamental violation of free speech. Society pays a price for its freedoms. If we lived in a state of martial law we would have much less crime. If we shot everyone who used or sold drugs we would have a much reduced drug problem. There are all sorts of measures society can take which would increase the quality of certain parts of our lives. However the American society has chosen to forgo the benefits of these laws because they deem the benefits of freedom to be worth much more. Yaron - -- ygoland@seas.ucla.edu Senior, Computer Science & Engineering 73160.327@compuserve.com School of Engineering and Applied Science University of California, Los Angeles ------------------------------ Date: Mon, 12 Sep 94 14:42:39 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: Re: Anyone heard of a virus for a SCO XENIX system? (UNIX) ertan@ponder.csci.unt.edu (Ertan Zanagar) writes: > Does anyone know if there is a virus outhere that would >in any way effect a SCO XENIX system? Any help is much appreciated. assuming the hardware is standard, ibm pc compatible, any MBR-infecting virus may be able to infect the machine, although it will probably be prevented from spreading, once Xenix takes over. - -frisk ------------------------------ Date: Mon, 12 Sep 94 15:50:10 -0400 From: "David M. Chess" Subject: re: MBR Virus and OS/2 with HPFS (OS/2) > From: tnmanego@rrws1.wiwi.uni-regensburg.de (Thorsten Manegold) >I'd like to know what a Boot Sector/MBR Virus (like PARITY-B) can do >under OS/2 especially if the HD is formatted with HPFS. Does it get >activated when OS/2 starts via the Boot Manager? ... The master boot record is outside any operating system partition, so in some sense MBR viruses don't care about the operating system, let alone the file system. In practice, though, it does tend to matter, because even MBR viruses generally make some operating-system-dependent assumptions. What typically happens when an OS/2 system gets an MBR virus is: - User leaves infected diskette in A:, powers on - Virus is loaded from the diskette by BIOS, runs, sees the uninfected hard disk, stashes the real MBR somewhere that it hopes isn't used (generally somewhere in track 0, which neither DOS nor OS/2 -usually- use for anything), writes itself to the master boot record, etc, - Virus loads and passes control to the original diskette boot record, which says "I'm not bootable, silly human", - Human removes diskette, and reboots - BIOS loads virus from the hard disk MBR and runs it - Virus makes some space for itself in real memory, copies itself there, hooks the diskette interrupt, loads and passes control to the original MBR, - Original MBR loads OS/2, - As it comes up, OS/2 uses the disk/ette interrupt just long enough to find and load the protect-mode disk and diskette drivers, and starts to use those; the diskette interrupt that the virus is sitting on never gets used again, so the virus won't spread. - If the virus is stealthed and doesn't preserve the original partition table in the infected MBR (like Monkey), OS/2 will cease to be able to interpret the hard disk as soon as it stops using the virus' interrupt. Typical symptom here is failure to load COUNTRY.SYS, since that's usually the first file that OS/2 looks for once in protect mode. So: - Boot viruses don't generally care if they're infecting an OS/2 system, with a few exceptions (the worst case is FORM: it assumes that the bootable partition is FAT, and if it's not, bad things happen: Boot Manager will have to be removed and reinstalled after FORM mungs it, unless you have IBMAV; and HPFS partitions can become completely corrupted by FORM). - Boot viruses essentially never spread from OS/2 systems, because OS/2 doesn't use the real-mode BIOS services that virtually all viruses rely on in order to spread. - If a virus decides to *damage* the system when you boot from it, it will be able to do this regardless of operating system or file system, since it gets control before OS/2 (etc) does. - You remove a boot virus from an OS/2 system with an OS/2 anti-virus product like IBM AntiVirus/2. DOS antivirus programs run in VDMs can generally not write to the machine's real boot records. - - -- - David M. Chess | Hic Sunt in Fossa High Integrity Computing Lab | Viruses Ossa IBM Watson Research | ------------------------------ Date: Wed, 31 Aug 94 22:08:00 +0200 From: Rob_Vlaardingerbroek@f0.n3110.z9.virnet.bad.se (Rob Vlaardingerbroek) Subject: changing genP/genB virus (PC) > From: bontchev@fbihh.informatik.uni-hamburg.de > (Vesselin Bontchev) > Kevin Marcus (datadec@corsa.ucr.edu) writes: >> Hm. I believe that SCAN detects the virus, "Quox", as "Stealth [Genb]" >> on floppies, "Stealth [Genp]" on hard drives. It detects the Stealth_Boot. > * >> family as "Stealth Boot [Genb/Genp]". > No, it is not so, but SCAN uses such a bad naming > scheme, that I can > easily see why you have been confused by it. Here are > the names used > by SCAN 117 when reporting those viruses: - --cut-- The following was nice and probably right, but are you aware that the official mcafee software nowadays is called scan 210e. Think you should use that in a test like this, not knowing the results, could be the same :-) Sincerely, Rob Vlaardingerbroek - --- GEcho 1.01+ * Origin: Virus Research Centre Holland LAB (9:3110/0) ------------------------------ Date: Tue, 06 Sep 94 10:15:51 -0400 From: rmts@interport.net (Paul G. Seldes) Subject: Info on Anti-Virus packages (PC) I'm looking for some articles on the merits of current AV programs for DOS based and Novell based systems. Any sources or areas on the NET would be appreciated. I also need some theoretical research info on viruses in general. Again any leads/suggestions would be appreciated. Paul Seldes Chemical Bank Corp ------------------------------ Date: Mon, 05 Sep 94 13:22:04 +0400 From: Oleg Nickolaevitch Kazatski Subject: Re; backform/FAQ (PC) Hi ! R.Ellmaker (rick@astro.ocis.temple.edu) writes: > (1) T downloaded f-prot 2.13 and scanned my system. I got a report that > the command.com file was infected with BACKFORM (?) (...with the (?) ). > Does anybody know anything about BACKFORM ? It's a dangerous memory resident parasitic virus. On execution it hits COMMAND.COM file. Then it hooks INT 13h, 21h and writes itself at the end of COM- and EXE-files. It infects the newly created files on floppy only and writes itself on the file closing. The length of the infected file grows on 2000 bytes. The length of COMMAND.COM file doesn't grow, this virus uses algorithm of "Lehigh" virus. On infection of COM-file the virus checks the first instruction of it. If this instruction is not JMP (E9h), the virus infects the file by standard manner: it writes itself at the end of the file and overwrites the beginning of the file by "JMP Virus" instruction. If the first byte is JMP, the virus overwrites the instruction where the first JMP points. The trigger routine (by hooking INT 13h): in depending of generation number and system date this virus changes the The trigger routine (by hooking INT 13h): in depending of generation number and system date this virus changes the system tables on floppy disk formatting. The sectors are formatted in reverse order: from 9th to the first (for 360k floppies). If this floppy is not 360K the disk will be not accessible. This virus contains the internal text string ":\command.com" also. - -- OK ------------------------------ Date: Tue, 06 Sep 94 10:16:27 -0400 From: tdtennis@nyx10.cs.du.edu (Tim Tennison) Subject: Jack the Ripper virus: Does a remover exist anywhere??? (PC) Hello everyone, I'm new to this newsgroup and need some help/info. A couple days ago, my computer became infected with the Jack the Ripper virus, which loads itself into mem upon boot, and infects the Master Boot record. My machine has not yet totally crashed, but it is acting funny. I have tried several clean/remover programs, but to no avail. I have tried Central Point Anti- virus, Norton Antivirus, and of course McAfee Associates' Viruscan (the latter of which detected the virus but can't *clean* it??). I've tried some of the boot record cleaner off of the oak.oakland.edu ftp site under the /pub/msdos/virus dir, but most of these programs are for protection only. Can anyone out there suggest a cleaner/remover for this particular virus? If so, please email me at tennison@ebs330.eb.uah.edu. Thanx! tim ------------------------------ Date: Tue, 06 Sep 94 10:16:35 -0400 From: joeshmoe@world.std.com (Joeshmoe) Subject: Possible New Virus (PC) I have recently been having problems on my computer that leads me to belive I have a virus: 1. The first thing I noticed, was that I started getting a message saying "Too many files open" when I tried to run certain programs. This got more frequent, to the point where just running the programs in my AUTOEXEC.BAT gave me this message. 2. Changing the number of FILES in my config.sys did not help this, and QEMM's Manifest said that I had plenty of free file handles. 3. I then tried to run a copy of McAfee's SCAN 114 from my hard drive. It ran once, and did not find any virii. When I tried to run it again, I found that it had been corrupted. One other noteworthy fact, is that the file date of SCAN.EXE had not been changed. 4. I downloaded a copy of SCAN 117, and when I unzipped it 1,091 bytes were added to SCAN.EXE. When I tried to run scan, I was informed that it had been modified. An addition of 1,091 bytes is a symptom of the Squeaker virus, but a clean copy of SCAN.EXE did not find anything Squeaker or any other virus on my hard disk. 5. When I ran a clean copy of SCAN.EXE from a write-protected floppy, I got a "Write Protect Error Reading Drive B:", this led me to believe that the virus is memory resident, and was trying to infect .EXE files when I ran them. The original error message, "Too many files open", is a 4DOS internal error message. The 4DOS help describes this to mean that there are too few file handles available. I've tried doing a clean boot, but after running a few things on my hard drive, I get the error message. If anyone has any ideas as to what my problem is, and/or how to solve it, please contact me at joeshmoe@world.std.com, or post a reply to this message. Thanks in advance, Jascha Franklin-Hodge joeshmoe@world.std.com ------------------------------ Date: Mon, 05 Sep 94 13:14:26 +0400 From: Oleg Nickolaevitch Kazatski Subject: Re; KOH (PC) Hi ! David Starr (starrd@hollywood.cinenet.net) writes: > > I would like information about the KOH "virus". It is supposed to be > harmless and it encrypts your computer (which I like!) using the IDEA > encryption. It's a memory resident boot virus. It hooks INT 09h (keyboard) and INT 13h. On loading from infected floppy it asks user for permission to infect hard drive: KOH-Encrypt your HARD DISK now (please backup first)? and infect HD on 'Y' answer, in another case it returns control to normal booting. On infection of hard drive this virus encrypt its sectors, the virus asks passwords before infection: Now, enter 2 passwords, 1 for HD, 1 for FD. FD PW can be changed anytime with Ctrl/Alt-K, C/A-O stops FD infect, C/A-H uninstalls on HD. Enter HD PW at power up. WRITE THIS DOWN! CASUAL encryption=fast but breakable--keeps out snoops. STRONG encryption=good but slow--keeps out all. Use disk ca Do you want STRONG encryption? On loading from infected HD the virus asks for password and lets booting on true answer only. This virus infects/encrypts floppy disks also. It can decrypt disks and uninstall itself on Ctrl-Alt-K,O,H keyboard keys. This virus contains and displays other strings also: Initial load failed... aborting. Load successful. A: now infected with KOH. Sure you want to uninstall? Should change be permanent? Enter FLOPPY PW now. Now enter HD PW. Enter Password: Verify Password: Verify failed! KOHv1.00 ------------------------------ Date: Tue, 06 Sep 94 10:17:03 -0400 From: joeshmoe@world.std.com (Joeshmoe) Subject: Possible New Virus (PC) Since the posting of my original message, I have learned some more information about this virus. 1. It only infects .EXE files. 2. It is memory-resident 3. It only infects .EXE files when they are accessed. 4. It has been distributed on several pirate FTP sites, listed as "ARJ 3.0 (Registered)" 5. It is only detectable by using F-PROT heuristic scan feature. I have overwritten all but one instance of this virus on my hard disk. If any reputable virus researchers are interested, I can send them a copy of it. -Jascha Franklin-Hodge joeshmoe@world.std.com ------------------------------ Date: Mon, 05 Sep 94 13:17:18 +0400 From: Oleg Nickolaevitch Kazatski Subject: Re; HELP FKRUEGER (PC) Hi ! Derneval R R da Cunha (rodrigde@cat.cce.usp.br) writes: > > the all exe files. When I use the scan 2.02 it says the name of the virus > > is FKRUEGER. Just like that in capital characters. But the clean 116 Freddy.2271 ----------- It's polymorphic virus, it search for the COM- and EXE-files and hits them on every INT 21h call. Sometimes on saving the data to the file (INT 21h, ah=40h) this infector saves the random byte. It contains the internal text strings: COMMAND.COM *.COM *.EXE Freddy KRueGer 2.1 Fridrik! Good luck ! - -- OK ------------------------------ Date: Tue, 06 Sep 94 10:17:21 -0400 From: alan@newsserver.trl.OZ.AU (Alan Christiansen) Subject: symptoms: Insufficient mem to shell to DOS (PC) I realise asking a question here is abit premature as the fault could be anything but I have some important data in that box and important work to do on it and this symptom has just kind of appeared out of nowhere, and I have no idea how I could have messed up my system to give it these symptoms, so I am a little worried something else may have messed up my system. Symptoms : I have a 486, with 16M of RAM. I am running windows 3.1 in enhanced 386 mode, I have 13566K of swap file, I have sufficient resources to run lots of windows apps, I have > 570K of conventional memory free before going into windows, BUT...... If I try to run Command.COM windows says insufficient memory try closinng some windows apps and try again. There are however no windows apps running ! So how did I wreck the system ? (ie what silly thing did I do ?) I have No idea. Does anybody have any idea how this can happen to a system ? ie. Is there a virus that can have this side effect. Alan (the totally perplexed.) - -- #include My employer may or may not agree with anything I say. I may or may not agree with anything I say. etc ... (nil bastardo carborundum) ------------------------------ Date: Mon, 05 Sep 94 13:20:49 +0400 From: Oleg Nickolaevitch Kazatski Subject: Re; Has anyone had the sigilit virus? (PC) Hi ! Charles Nicolosi (nicolosic@gacsrv.gactr.uga.edu) writes: > This morning we came across a virus called "sigilit." > > I've tried using > several different virus removers, including Norton Anti-virus, Central > Point, and a couple shareware types. It's a memory resident not dangerous virus "V-sign" which hooks INT 13h and hits Boot-sectors of floppy-disks and MBR of hard drives. It inserts 40 bytes of installator code into the sector while infection. On every 64th infection this virus types a large letter 'V'. Try AVP. Good luck ! - -- OK ------------------------------ Date: Wed, 07 Sep 94 07:47:38 -0400 From: pein@informatik.tu-muenchen.de (Ruediger Pein) Subject: Non-virulent self replicating programs (PC) Hello, I've got a question concerning self replicating programs in general. I'd like to know which forms of those replicating systems aren't called viruses. I understand that worms for example spread without the help of a host program, so because of this difference they aren't called viruses. But what about the floppy disk containing an AUTOEXEC.BAT with the "diskcopy a: b:" command (I think this example aready has been mentioned here by Alan Solomon). What's the difference here to a real boot virus ? Is it because it doesn't spread very well, or only that it is an overwriting virus, destroying all the data on the target disk ? If so, you could could change the AUTOEXEC.BAT to "sys b:", "copy sys.com b:" or anything like that (of course you have to have the program diskcopy.exe or sys.com on this floppy, too), resulting in a non overwriting boot virus. Or am I wrong ? Then I know of compiled programs that will replicate their exactly source code. They aren't viruses because you have to recompile these replicates manually, right ? Okay, and why don't you call XCOPY.EXE a worm that spreads under the condition that you call it with the parameters "XCOPY.EXE " ? I know this is a really unintelligent question, but I'd like to exactly understand the difference between virulence and non-virulence. What other non-virulent self replicating systems do you know of ? Is Corewars virulent ? Thanks in advance ! Ruediger Pein ------------------------------ Date: Wed, 07 Sep 94 10:08:02 -0400 From: a0631vdc@c1.cc.univie.ac.at (Gerhard Kluenger) Subject: ThunderByte 6.23 (PC) Yesterday we installed Thunderbyte V 6.23 from ftp.informatic.uni-hamburg.de on two different PC's. The DOS-Version reports on first invocation (already during installation) on both PCs "Memory infected by Ripper virus". Continuing with installation of the windows-part worked well, invocation of the scan yieled no more memory-msg, but found 2 or 3 files already changed (within about 10 minutes since the first scanf to build up the database). Reboot from a clean diskette on one PC and executing immediately the TBAV results in the same msg ("Memory infected by Ripper virus"). Is it possible that we import with the AV-SW also the virus? Apart from this, TBAV found nothing where AVP found the Vienna.648.a virus in RESO.COM (but this is quite another problem). - -- - ------------------------------------------------------- Gerhard Kluenger Email: Gerhard.Kluenger@univie.ac.at ------------------------------ Date: Wed, 07 Sep 94 10:41:13 -0400 From: a0631vdc@c1.cc.univie.ac.at (Gerhard Kluenger) Subject: AVP V 2.0 (PC) I installed AVP V 2.0 on my 486 DX2/66 and on a DECpc 433. Running the program on both PC it hangs rather near to the end of the task (it goes through the directories in alphabetical sequence and stopped repeatedly in the WINDOWS directory after about 230 MB scanned). I had to reboot the system in both cases. Next I tried to run the program from the diskette with the minimum files indicated in !READ.!ME. After a lot of warnings I had to indicate a drive where to put the swap file (2MB). With such sice I had only drive C. However, after a while the program run, it could not write the file to drive C but gave no further explanation, why it cannot, but asked for an alternate drive. I proposed a:, but the same msg. Altogether I got the impression, the hangs are the result of some problems to write some file to disks. Are there any similar observations or hints what might cause the problems? Thanks. - -- - ------------------------------------------------------- Gerhard Kluenger Email: Gerhard.Kluenger@univie.ac.at ------------------------------ Date: Wed, 07 Sep 94 15:35:15 -0400 From: jmccarty@spd.dsccc.com (Mike McCarty) Subject: New Virus? (PC) Philip Tong (CL-28951@cphkvx.cphk.hk) sent me a uuencoded EXE file, along with a note indicating that he believed it is infected. A quick look at the executable showed it contained suspicious code. It appeared to be decrypting part of the code segment. The code remained unchanged in size after decrypting, so I do not believe it is a decompression (though the file was compressed with PKLITE). The infected programs seem to run normally. Sterile investigation shows that running an infected program leaves a memory resident part. When a directory access is made to a file with an EXE extension, it is infected, growing in size (I forget by how much). The new files are infective. When a DIR command is done on the infected files, the original sizes are displayed until a reboot. This may be due to DOS caching directory entries; it may be due to viral activity. I did not investigate this. A signature for the virus is: 2E 8A 24 32 E0 2E 88 24 No cleaning procedure other than reloading from original uninfected files is known to me. Mike - ---- char *p="char *p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);} ------------------------------ Date: Thu, 08 Sep 94 16:08:09 -0400 From: Andy Berger - ITS User Support Services 803-953-6988 Subject: Monkey.Stoned virus on multimedia 486 won't go away... (PC) Boot-sector virus that acts just like the NOP we had previously on our campus. System is running DOS 6.0 and it's a 486/66 with a 300+ Meg internal SCSI drive. Tried FDISK/MBR to no avail. Tried F-Prot and CLEAN with no effect. F-Prot says to boot from a clean disk. When I do this, it "disengages" the hard drive so the system doesn't recognize it. Reboot from the hard drive and the drive "pops" back to life as if nothing happened. Microsoft Antivirus doesn't even find the virus. It hasn't done any damage(yet) so maybe there's really no virus???? Any hints would be greatly appreciated. - -Andy ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Andy Berger | (803) 953-6988 User Support Specialist | 0.0 (803) 953-6996 ITS - The Citadel | --- BERGERA@CITADEL (BITNET) Charleston, S.C. 29409 | BERGERA@CITADEL.EDU (Internet) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ------------------------------ Date: Fri, 09 Sep 94 11:46:03 -0400 From: mannig@world-net.sct.fr (Gerard Mannig) Subject: spread of UUENCODEd virus in Fido virus echoes (PC) PRESS RELEASE # 5 Some UUENCODE viruses has been spread last week in virus FiDo virus echoes well known in our country The resulting files are named : DK.COM DBMOTHER.EXE HOWARD.COM ADAMSFAM.ZIP including ADAMS.NFO, ADAMSSIG.DAT, COUS_IT.COM, GOMEZ.COM, LURCH.COM, MORTICIA.COM, PUGSLEY.COM, THING.COM ) SPORT21C.ZIP including INSTALL.COM, SPORT21C.EXE, DOCUMENT.DOC, SPORTS.COM The top-ranked AV soft detect only partially these strains : - nothing suspect ( including in 'heuristic' mode ) on some both original files AND infected files - nothing suspect ( including in 'heuristic' mode ) on some infected files FILES McAFEE SCAN F-PROT TBAV Comments --------------------------------------------------------------------- DK.COM KHON-B KB Deathboy Nothing suspect on DK.COM but detection on infected files DBMOTHER.EXE - to be studied HOWARD.COM - Possibly a Probably TBAV new variant infected by diagnose of ATOMIC an unknown only on virus infected files Adams family GV (NGV ) Genvir.... GENVIR Partial 93 (N93 ) detection NGV-THIN NGV-MORT NGV-UNCL NGV-WEDN SPORT21C Butterfly (FLY) Butterfly. Butterfly no family BUTTERFL. Crusades detection CRUSADES on original files --------------------------------------------------------------------- Due to both quantity of virus and time needed for analysis, these few informations are PARTIAL although they allow a first-level detection. For further details, feel free to ask : Gerard MANNIG ( Phone/ FAX : +33 3559-9344 ) Kristian LOUISE ( Phone :+33 1 4098-8214 ) Francois PAGET ( Phone :+33 1 4652-3843 ) Francois PAGET, President French Computer Criminality Research Center po Box 109 F-95135 LE PLESSIS BOUCHARD CEDEX BBS : +33 1 3415-4959 Voice machine : +33 1 3072-9443 Regards, - ------------------------------------------------------------------------------ Gerard MANNIG Virus Consultant Phone/FAX : +33 3559-9344 EMail : mannig@world-net.sct.fr FiDo : 2:322/2.1 Member of : FRENCH COMPUTER CRIMINALITY RESEARCH CENTER ( data +33 1 3415-4959 - Voice machine +33 1 3072-9443 ) COMPUTER RESEARCH INFORMATION SERVICE ftp.mcs.com ... Remember that the best time to worry about viruses is BEFORE getting infected ... ' - ------------------------------------------------------------------------------ ------------------------------ Date: Fri, 09 Sep 94 12:00:10 -0400 From: rhb@ucs.usl.edu (Bird Rendell H.) Subject: HP's "Survey" floppy [VForm] (PC) Anyone heard of this one? Supposedly, HP sent people a floppy with a "customer satisfaction survey" on it for them to take at their own leisure. Well, today someone from HP called and said that we were to destroy the floppy because it probably had the VForm virus on it. Not being one to take such warnings lightly, I popped it into a Macintosh and wiped it out. Afterwards, I decided to check through F-PROT's listing of known viruses, and there was no mention of a "VForm" virus, specifically. Of course, there was quite a bit about "Form", but not "VForm". Did anyone else get this "survey" floppy? Did anyone else get a call from HP folks? Has anyone ever heard of the VForm virus? (Wow! How am I managing to match lines?) Rendell (rhb@usl.edu) ------------------------------ Date: Mon, 12 Sep 94 13:16:53 -0400 From: fletcher@bud.peinet.pe.ca (Scott Fletcher) Subject: Secret Virus? (PC) Hi, I just got off the phone with one of my clients who says he caught a computer virus of the net. This is the info I've been able to collect courtesy of Radio Shack in Souris, Prince Edward Island. First of all, they never ran a virus checker through the clients machine and there is no way of determining if this alledged virus came from the net. 1. The clients machine stopped working and would refuse to boot. 2. There was a directory on his hard drive called secret. - the directory and files were copy protected - they were massive in size, basically using up all the storage space on the drive. - file contents were garbage Does anyone know a virus that will do this sort of thing? If so, is this virus common for the net. I wish I had more info but the people servicing the machine didn't seem too concerned about the virus and just reformatted the whole drive. Scott - -- |===========================================================================| | Scott Fletcher || End User Support | | fletcher@bud.peinet.pe.ca || 902 892-7346 | |===========================================================================| ------------------------------ Date: Mon, 12 Sep 94 13:19:58 -0400 From: image@stan.canberra.edu.au (X Image Project) Subject: Help ! virus infected. (PC) There is a new 94's virus called "Anti thunderbyte" has been detected, It cannot not be detected and cleaned up with the latest version of Mafee's virus scanv117, and many commercial antivirus tools. It infects all executable file in my PC clone machine. If there are anyone know about this virus and the products to clean it up, could you please send me a email or post it on this newsgroup. Thanks in Advance. ------------------------------ Date: Mon, 12 Sep 94 13:21:04 -0400 From: image@stan.canberra.edu.au (X Image Project) Subject: Help ! Anti Thunderbyte (PC) A new 94's virus 'anti-thunderbyte' has been detected, It infects all executable files in my PC machine. It cannot be detected and cleaned up with the lastest version of Mafee's scanv117 and cleanv117. If there are anyone know any infomation about this virus and any products are able to clean it up, please send me a email or post it on this news group. Thanks in Advance. ------------------------------ Date: Mon, 12 Sep 94 13:21:11 -0400 From: jshaye@greyhawk.ts.wm.edu Subject: Info needed on Little Red Virus (PC) Little Red has hit our campus. I have been looking for information on what the virus does. We have been using F-Prot to remove the virus. I need to know what damage the virus does. Scott Hayes jshaye@mail.wm.edu Computing Support Services Gopher Administrator The College of William and Mary in Virginia ------------------------------ Date: Mon, 12 Sep 94 16:45:41 +0000 From: RRSCHAUH@ELECOM2.watstar.uwaterloo.ca (R Chauhan) Subject: Mutation Engine (PC) Anyone have any info on how the Mutation Engine works? I have cooked up some homemade anti virus tools, and want to know how to detect it. If you know where I could find the source code for it, I'd be interested. - ------------------------------------------------------------------------------ R Chauhan ------------------------------ Date: Mon, 12 Sep 94 13:26:21 -0400 From: ST29701@vm.cc.LaTech.edu Subject: VDS ?? (PC) I was looking at a Virus scanner that I had never looked at before VDS (Virus Detection System). I was wondering how good a scanner it is? What about huristics? It says it also has a integerty checker, how good is it? thanks Alan ------------------------------ Date: Mon, 12 Sep 94 13:39:01 -0400 From: kennedy@vt.edu (David C Kennedy) Subject: ANTI-EXE What does it Do. (PC) Does anyone out there know what Anti-Exe corrupts. Norton 8 says it corrupts specific unknown exe files. I got the virus from the school computer and caught it before it got on my hard drive, but I was just wondering. ------------------------------ Date: Mon, 12 Sep 94 13:39:03 -0400 From: kennedy@vt.edu (David C Kennedy) Subject: V-Sign Virus (PC) Any information on the V-sign virus would be appreciated ------------------------------ Date: Mon, 12 Sep 94 14:35:50 -0400 From: sauls@odp-sun3.tamu.edu (Jeff Sauls) Subject: Nops virus? (PC) I have a problem that hopefully someone can help me with. Vshield and Scan report a NOPS virus, but I have not been able to clean it. Does anybody know of a virus program that can clean this? Any help would be greatly apreciated, If possible please respond through email: Jeff Sauls email: Jeff_Sauls@odp.tamu.edu Information Services Ocean Drilling Program ------------------------------ Date: Mon, 12 Sep 94 14:45:10 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: Re: backform/FAQ (PC) >> the command.com file was infected with BACKFORM (?) >Do you mean "BackFont"? There are at least four variants: There is a virus named Backform ... F-prot detects it, but does not identify it exactly .... just reports "Backform (?)" .... the question mark also indicates that F-prot cannot disinfect it. - -frisk ------------------------------ Date: Mon, 12 Sep 94 14:47:11 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: Re: F-Prot scans UMBs ??? (PC) trebor@test1.stack.urc.tue.nl (tREBOr) writes: >I was wondering if F-Prot scans UMBs (A000-FFFF-segments, tech. speaking) as >well. It does. However, that can be disabled with the /640 switch If it does: are there any viruses who utilize it, yes, there are a few... - -frisk ------------------------------ Date: Mon, 12 Sep 94 14:49:43 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: Re: Need Help With Trident Virus (PC) mhwoo@ucdavis.edu (I Wouldn't Normally Do This Kind of Thing.....) writes: >Hey dudes, > My computer has been infected by the [TridenT] virus. After I >deleted all the infected files, I used the scan116 to scan my harddisk >and no virus was found, but later, I find it again after 1 or 2 days. this is simply because the scanner does not detect the virus reliably...use some different scanner.....I cannot tell you if F-PROT, TBAV and/or AVP are able to detect the virus, as [Trident] is not an accurate identification, so I really don't know which virus this is. - -frisk ------------------------------ Date: Mon, 12 Sep 94 18:11:49 +0000 From: jfl@hobbes.cca.rockwell.com (Joe Lawrence) Subject: Re: BSVs and F-PROT/VIRSTOP (PC) datos@crl.com (Randy Ridgely) says: > > (Please see ObDisclaimer below before flaming me.) I have placed >a floppy which is known to be infected with the C variant of Stealth_boot >(CPAV & F-PROT both ID'ed it, altho CPAV only called it Stealth :-( ) > (ObDisclaimer: I have spent nearly every free waking moment of >the last four days pouring over this newsgroup (slash-mailing-list), >the documentation for F-PROT and a few other AV s/w packages, downloading >and reading papers and gopher descriptions. Yes, I read the FAQ -- >tho't you might like to know that someone actually *does* once in >awhile...*before* posting. I would send email to frisk directly rather >than waste bandwidth, but I sent him mail two days ago about purchasing >a site license for F-PROT. I haven't received a reply, so I figure if >he's too busy to reply to a question involving money, he's too busy to >answer freebies. This sounds familiar. I too sent frisk a direct e-mail over a month ago about a virus that F-PROT couldn't detect with the same result, no response. (The reason for the direct mailing was that, at the time, our news server couldn't post to moderated groups. Supposedly this has been fixed.) Either frisk isn't interested (highly doubtful) or his mailer is broken or he just ignores mail to frisk@complex.is. Incidentally, several other products sucessfully found the virus. Of course, they each called it something different and none of them could disinfect it. Not to worry, it was a .com infector only, so we deleted all the infected .com files and replaced them. Now for _my_ complaint. This group has really gone downhill. The primary contributors seem to spend most of their time fighting with mushmind liberals. Not that this is a _bad_ thing, just unproductive. Vess, you claim that you don't have enough time to update your Caro database, yet you can spend time writting detailed rebuttals to people like McCarthy and Rosenthal who are probably ignored by the majority of the subscribers anyway. Frisk, you have a great product, yet you DON'T ANSWER MAIL. Ken (yes you, Mr Moderator) do a solid job moderating this group, yet it's been 19 days since comp.virus had anything on it. I'm reading stuff that was posted almost 3 weeks ago. Not a lot of help to people whose PC's were down because of a virus back then. By now, they've fixed it some way, probably the wrong way, because they couldn't get a timely answer for their problem. > I'm trying to dig myself out from under an infection >of Stelboo_C at work with half the staff out sick or having quit, while >persuading the Powers-That-Be that F-PROT is better than CPAV/VSAFE, >despite the latter alerting on a simple DIR of the virus-laden >diskette. Please excuse me if I seem a bit impatient; I don't mean to >be. I know we *all* have lives and heavy workloads. Thanks for >listening; flame away. :-) >- -- >randy Ditto Joe Lawrence |"All opinions are mine, not Rockwell's" Engineering Support Services | To do is to be - Nietzsche Rockwell International | To be is to do - Sarte jfl@hobbes.cca.rockwell.com | Do be do be do - Sinatra ------------------------------ Date: Mon, 12 Sep 94 19:30:20 -0400 From: jmccarty@spd.dsccc.com (Mike McCarty) Subject: Re: VIRUSCAN 2.x gripes & grumbles (PC) Lucas wrote: [complaints about SCAN Version 2 deleted] )Okay, here's what is known, and what is being done: ) ) 1) VirusScan 2.10 will not run on XT's because of assembly routines ) designed to optimize the product on AT's. We're planning on ) producing another version of ScanV2.x for XT's [speed certainly ) isn't an issue here]. ) ) 2) VirusScan 2.10 does not run in DOS 3.3x. 2.1.1 corrects this. ) BTW, 2.1.1 beta should be available tomorrow sometime, with a ) targeted release of next week. ) ) 3) The workaround for QEMM 7.0x is to load VShield after all of ) the QEMM commands have been executed in the Autoexec.bat. ) ) 4) VShield 2.1.1 should fix any alarms that were being displayed ) when VShield is scanning upper memory. These were NOT false ) positives, but rather a conflict with the system BIOS. ) ) 5) WScan 2.1.1 corrects a conflict with Netware VLM drivers. Ok, then here's something which is "not known". Version 2 gets into infinite loops. Mike - ---- char *p="char *p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);} ------------------------------ Date: Mon, 12 Sep 94 20:10:46 -0400 From: jmccarty@spd.dsccc.com (Mike McCarty) Subject: Re: GenB virus - Need Help (PC) Steve Daley wrote: [stuff deleted] )The following programs give the following reports: ) )McAfee 2.01 GenB at 960k )Thunderbyte Unknown Boot sector virus )MSAV Nothing )CPAV Nothing [more deleted] )No attempts to remove the virus work. I have done the following (as )well as about 500 other things): ) ) 1. Make 6.2 boot disk on clean machine with only Himem.sys and Emm386 loading ) - boot infected machines and check with Scanner - Same Result as above ) 2. Sys the hard drive from a clean floppy ) 3. Re-format hard drive, re-install DOS from BRAND NEW package ) 4. Low level drive, then do step 3. ) )None of these or anything else helped the situation at all. ) ) ANY HELP ON THIS WOULD PROBABLY GET MY BLOOD PRESSURE ) BACK TO SOME SORT OF ACCEPTABLE LEVEL !!! ) 3 and 4 are really overkill. It is possible that your low-level formatter and/or FDISK is infected, or your format program is infected. Did you scan these programs when booted "clean"? Mike - ---- char *p="char *p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);} ------------------------------ Date: Mon, 12 Sep 94 21:01:09 -0400 From: jmccarty@spd.dsccc.com (Mike McCarty) Subject: Re: Need Help With Trident Virus (PC) I Wouldn't Normally Do This Kind of Thing..... wrote: )Hey dudes, ) ) My computer has been infected by the [TridenT] virus. After I )deleted all the infected files, I used the scan116 to scan my harddisk )and no virus was found, but later, I find it again after 1 or 2 days. )I haven't added any new files to the computer after I deleted the )infected files. So I know it is hidden some where inside my harddisk. )Can somebody help me to remove it? Thank you very much for your help! Did you boot from a floppy? Did you run any program from a floppy? Did you scan your floppies? Not only hard discs get infected. Reinfection is usually through floppy in cases like this. Mike - ---- char *p="char *p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);} ------------------------------ Date: Mon, 12 Sep 94 21:13:41 -0400 From: dhaesler@ccnet.com (Deborah Haeseler) Subject: What is KAOS4 (PC) Does anyone know about a virus called KAOS4? It has eveidently infected PCs at my husband's office. what are the symtoms? what does it do? ------------------------------ Date: Tue, 06 Sep 94 10:15:25 -0400 From: Iolo Davidson Subject: Utility to Test Memory Resident Anti-Virus Scanners (PC) Pitch and Catch are a pair of programs for the IBM PC and compatibles which may be used to automate the testing of the detection capabilities of anti-virus TSRs (memory resident anti-virus programs) on collections of file viruses. They have been released as shareware, and are available at: ftp.informatik.uni-hamburg.de:/pub/virus/progs/pitch.zip Please note: these tools are designed for use by anti-virus researchers who have large research collections of viruses. They are useless without real viruses to use in testing. If you do not have a collection of viruses to test with, then Pitch and Catch will not be of any use to you. - -- Iolo Davidson PGP fingerprint: CB F5 05 75 32 41 F7 E9 1E 56 7B CA 05 3D 63 9E ------------------------------ Date: Tue, 06 Sep 94 10:15:37 -0400 From: mannig@world-net.sct.fr (Gerard Mannig) Subject: Anouncement: French Computer Criminality Research Center Hi : We are proud to announce the creation of the French Computer Criminality Research Center on June 93. RECIF is the French acronym, US one is FCCRC For practical reasons, we prefered wait some months before announcing our creation. The RECIF society (' Recherches et Etudes sur la Criminalit=82 Informatique Fran=87aise ') targets experiences and ideas exchange to fight= =20 computer criminality. These exchanges may be done between both RECIF members and national/international societies running in computer security Main activities of RECIF are recording, collecting, studying all informations about computer foul-play. RECIF members meet regularely and publish both documents and utilities relating to their goals for individuals, corporates and media RECIF 'BBS is one of its communication media ! Feel free to tell others about RECIF by broadcasting its coordinations or, better, by joining it Association RECIF - non-lucrative society managed by 7/1/1901 French law P.O Box 109 F-95130 PLESSIS BOUCHARD RECIF BBS : +33 1 3415-4959 - V22 V22bis V32 Officers : President Francois PAGET - ALCATEL TELSPACE Vice-Presidents : Philippe GOUREAU - THOMSON Kristian LOUISE - SOCIETE GENERALE Secretary : Claude LALLINEC - BNP Members : 10 others individuals, some of them representing big companies ( Equipment Department, LA POSTE, Police Department... ) and some others big companies or Departments are planed to join in months. Further details, questions must be sended to Gerard MANNIG ( see hereafter for the E-Mail coordinations ) as FCCRC has no E-Mail addresse for the moment. Feel free to critize our board and to make us know what you would like to find on it. I can be reached by phone/FAX at +33 3559-9344 but mainly at the addresses hereafter. You may writte in French, English or Spanish : I'll respond in the same laguage. Hope to be of assistance Regards, - ---------------------------------------------------------------------------- Gerard MANNIG Virus=20 Consultant l Phone/FAX= =20 : +33 3559-9344 l=20 EMail : = =20 mannig@world-net.sct.fr l=20 FiDo : = =20 2:322/2.1 l=20 Member of French Computer Criminality Research Center (data +33 1=20 3415-4959 ) l Remember ' that the best time to worry about viruses is BEFORE getting=20 infected ... ' l - ---------------------------------------------------------------------------- ------------------------------ Date: Sat, 10 Sep 94 14:45:32 -0400 From: bondt@dutiws.TWI.TUDelft.NL (Piet de Bondt) Subject: tbav - Thunderbyte anti-virus v6.24 (Complete/Windows/Optimized) (PC) I have uploaded to SimTel, the Coast to Coast Software Repository (tm), (available by anonymous ftp from the primary mirror site OAK.Oakland.Edu and its mirrors): SimTel/msdos/virus/ tbav624.zip Thunderbyte anti-virus pgm (complete) v6.24 tbavw624.zip Thunderbyte anti-virus pgm (windows) v6.24 tbavx624.zip TBAV anti-virus - processor optimized versions Replaces: SimTel/msdos/virus/ tbav623.zip and older tbav623a.zip tbavw623.zip and older tbavx623.zip and older The Thunderbyte Anti-Virus utilities are ShareWare. There are 4 security modules (TbScan, TbScanX, TbClean, TbMon) included. These modules are programmed in assembler and there for very fast! TbScan is a signature, heuristic and CRC scanner. It detects known, unknown and future viruses. TbScanX is the resident version of TbScan. TbClean is the first heuristic cleaner in the world. Even an infected file with an unknown virus can be cleaned. TbMon consists of 3 resident programs (TbMem, TbFile, TbDisk) which monitors your system against unknown viruses. From version 6.22 a complete Windows version is available. Note that for Windows you need both the Windows and the DOS files ! TBAV is uploaded by it's authors to anon-ftp site ftp.twi.tudelft.nl in dir /pub/msdos/virus/tbav) and from there distributed to SimTel (via oak.oakland.edu), garbo.uwasa.fi and nic.funet.fi and from there to their mirror-sites. Greetings, Piet de Bondt bondt@dutiws.twi.tudelft.nl ============================================================================== FTP-Admin for MSDOS Anti-virus software at anon-ftp-site: ftp.twi.tudelft.nl ------------------------------ Date: Mon, 12 Sep 94 13:21:55 -0400 From: jmccarty@spd.dsccc.com (Mike McCarty) Subject: Re: Rosenthal Virus Simulator VIRSIM2C.ZIP (PC) Ulrich R. Herken wrote: )I normally try to avoid being polemic, but here I somehow can't resist: ) )Mike McCarty wrote: [stuff about ease of obtaining viruses deleted] )Any kid who knows how to use his fingers can get a gun an shoot )someone. If it were difficult to get guns, then nobody would need )bullet proof vests or security squads (and no one would be shot). )Get the drift? I also oppose gun control. Only if everyone has easy access to guns will the law abiding citizen be free. [other stuff related to gun control deleted] )>What we need is good antiviral products. We do not need thought police. ) )What we need is good bullet proof vests (an helmets, and armoured cars )and ...) Yes. I agree. And a well-armed citizenry capable to defend itself. Then the crooks will be afraid to attack the citizens and we will all be safer. )>We believe in liberty. We believe in freedom of thought. We believe that )>individuals have intelligence. ) )Right! That's why the US is the only country, where "Do not touch" is )added to the line "Caution! Hot!". The people who -run- our country do -not- believe in the things listed above. The "we" was used in context of people of similar opinions to me. )> We believe that people should be free to )>learn and use everything there is to know in the universe. We believe )>individuals should be responsible for their _own_ behavior (and no one )>elses!). ) )Good examples for that would be prohibition and McCarthy for example. )But you are right, everyone should be able to do what they want, )so have the KKK go on to eliminate some of these niggers. I happen to approve of Senator McCarthy. I do not approve of the KKK. I do approve of people being able to peacefully assemble. Sometimes the KKK does that, and sometimes not. But we digress. )>DISTRIBUTE INFORMATION FREELY AND POSITIVELY. HOLD PEOPLE ACCOUNTABLE )>FOR THEIR OWN ACTIONS. ) )Good idea, even if it weren't in all capital letters. Is it a better idea in all caps? :) )>I HATE being attacked by viruses. Let's stop them! But please QUIT )>TRYING TO SUPPRESS INFORMATION! LET'S SUPPRESS THE PEOPLE WHO )>DELIBERATELY CREATE AND RELEASE VIRUSES WITH MALICIOUS INTENT! ) )[POLEMICS OFF] )I absolutely agree with the need for distribution of information. )I definitely do not agree on the idea, that the information needed )in this case is gathered by making virus code available to )everyone. [stuff deleted] )>What you say sounds like Nazi Germany and Communist Russia to me. There )>are a few intelligentsia who know how to run the lives of everyone )>else. They are allowed to collect viruses and thwart them for the rest )>of us. Oh, by the way, the ones who support this idea always seem to be )>a part of the intelligentsia, not one of the plebes. BAH! ) )Since no one has proven until now, that anarchy works, there will )always be some people "running the lives" of others (government is )an example that comes to mind). Wouldn't even you prefer to have )an intelligent government instead of one that has no bloody idea )about what is going on? I don't believe in anarchy. I do believe in government. The purpose of government should be to hold people responsible for evil acts, i.e. to catch crooks. It should not be to -prevent- crime. To do this government has to take action against people -before- they have done anything wrong. )> Only knowlege and experience can make a person safe from viruses. ) )Good point. Thank you. )> When we all know how they work then: )> )> there will be much less incentive to write them )Wrong. The incentive to do harm to others is quite independent of the )knowledge who to cause that harm. Well, it's hard to -know- another's motives, I suppose. Perhaps you have a point here as well. There probably are some who have a desire simply to hurt anyone, anyhow. But I -imagine- that most want to have some feeling of power from, "beating the system". These would stop, I belive. )> we will be able to protect ourselves from the ones being written ) )Hopefully yes. But there will always be someone _clever_ enough to )develop a new idea, of which you wouldn't know. Of course. )Again please excuse my inadequate style in the above, but this one )really made me angry. Sorry to make you angry. It is not my intent. - ---- char *p="char *p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);} ------------------------------ Date: Mon, 12 Sep 94 21:01:12 -0400 From: jmccarty@spd.dsccc.com (Mike McCarty) Subject: Re: Rosenthal Virus Simulator (VIRSIM2C.ZIP) (PC) Vesselin Bontchev wrote: [stuff deleted] )> Virus Simulator creates a simulated test suite of .COM and .EXE programs )> as well as boot sector and memory resident viruses. ) )False claim #1. The virus simulator DOES NOT generate boot sector and )memory resident viruses. The programs that it generates are not )viruses, with exception of the two MtE-based viruses that come with )the registered version, and they are neither boot sector, nor resident )ones. Therefore, the documentation lies and misleads the user. This )makes one false claim. I don't understand your objection, Vesselin. The word "simulated" appears prominently in what you quoted from Doren, but you seem to object that they are not viruses. The way I read what you quoted is: Virus Simulator creates a simulated test suite The test suite includes simulated .COM program viruses The test suite includes simulated .EXE program viruses The test suite includes simulated boot sector viruses The test suite includes simulated resident viruses )> These programs )> contain the signatures (only) from real viruses. ) )False claim #2. With a few exceptions, there is no such thing as *the* )signature of a virus. Even if we leave alone the fact that the mere )term is wrong and misleading (those things should be called "scan )strings"), for any particular virus there are usually a large number )of possible scan strings ("signatures"). The only exceptions are the )polymorphic viruses (no scan string possible for them) and the )variably encrypted viruses with a short, constant decryptor (only a )single good scan string). This makes two false claims. I agree with you here, Vesselin. "A Scan String" or even "A Signature" is much better than "The Signatures". Also, the documentation does not contain an adequate description of what a signature is, nor how it is used by scanners, nor that many "signatures" exist for any given virus. [more deleted] )You have "forgotten" to tell that you have actually ripped off those )scan strings from other people's scanners, but I'll let that pass... Do you have personal knowledge that Doren has "ripped off" someones scan strings? If so please enlighten us. )> Since these are really only dummy viruses, ) )False claim #3. THEY ARE NOT VIRUSES. Not at all. This makes three )false claims and one correct claim. I don't know what a "dummy virus" is. Without clarification, I don't know whether this statement is true. [more deleted] )Actually, the *good* scanners will follow the file entry point and )look for the scan string only at a particular offset - where it has to )be in a real virus. So, the *good* scanners are unlikely to be triggered )by the simulations produced by Virus Simulator. I think that Doren does not make it sufficiently clear that the positives are Type I errors. Nor does he go into sufficient detail (in my opinion) concerning Type I and Type II errors. [more deleted] )> The Virus Simulators and supplements are really intended to give users )> some hands on practical experience using their virus protection ) )False claim #5. The Virus Simulator gives them only some hands on )experience when encountering a false positive. The claim is that they are "intended". [more deleted] )No, it isn't. The only part that would set off an integrity checker is )the part that overwrites the boot sector or infects with the MtE-based )(real) viruses. However, this happens on a diskette only, and )practically no integrity checker checksums floppies, because it is )pointless. But there -are- virus detectors which will detect this activity. BTW, our feed was cut off for over a week. Did you reply to me on my query as to whether a better "intercept suspicious activity" than FluShot+ exists? )You mean - those who you have extorted to tell you which scan strings )they use in their products, because if they are not generated by your )simulator, they won't be detected in a "test"... Do you have personal knowledge that Doren has extorted anyone? If so please inform us. (But see below.) [deleted] )> These samples make every effort to get caught and many )> anti-virus products make efforts to catch them. ) )Please list some products that make efforts to catch your particular )samples and are not simply fooled by them. Vesselin, you seem to be talking out of both sides of your mouth. First you claim that there exist scanners which Doren has "extorted" into making special efforts to find his "simulated viruses", then you challenge Doren to produce the name of a scanner which makes efforts to catch his product. Don't you have a list of names yourself? Or why did you claim that Doren "extorted" people? Or have I misunderstood your position? Doren, your phraseology "make every effort to get caught" is pretty misleading when you are talking about files which have no viral code which is ever executed in them. In any case, Doren, you should stop advertising your real virus. The charter here is supposed to prevent that. Mike - ---- char *p="char *p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);} ------------------------------ Date: Fri, 26 Aug 94 13:13:26 +0100 From: Luca Sambucci <93647758S@sgcl1.unisg.ch> Subject: VIRSIM Test (PC) - -----BEGIN PGP SIGNED MESSAGE----- > VIRUS SIMULATOR TEST > Copyright (C) 1994 Luca Sambucci > All rights reserved. > Italian Computer Antivirus Research Organization Since some years a program called "Virus Simulator" is being distributed as shareware software from Rosenthal Engeneering. This program claims to generate "simulated viruses" to allow the users to do their own tests on antivirus products without any fear to have their computer infected. A lot of antivirus researchers find the program absolutely useless (and some think it could be harmful, too), because the "simulation files" created by the program aren't viruses at all, and many AV products will not mark them as infected. In my opinion, the results of an AV-test done with the "simulated-viruses" collection is simply misleading and, in some cases, even harmful. Why misleading? The files created by the shareware version of the program (the latest one is the 2.c version, the .DOC file is dated 4 Apr 93, the executable file is dated 6 Aug 91) aren't viruses at all: they cannot "infect" anything, they're only "parts" of viruses. Not all AV programs will detect them as viruses, so the detection rates can be *very* different compared with the rates of a test on *real* viruses. Why harmful? A user, after doing such test, could think that the "X" AV product, that failed to detected all simulations, isn't good enough. This will cause the user to rely on another AV product ("Y") for the security of her/his computer; this second product performed better on the "simulated-viruses" test, but perhaps its detection rate on *real* viruses is worse than the first one. In the future the "Y" product could fail to detect a real virus (virus that the "X" product would have detected), and the user's computer will become infected only beacause she/he relied to a worse AV product (but apparently good when tested on the simulations). Ok, but now, as usual, I'll bring evidences to what I say. I've created some simulations with the Virus Simulator v.2c program. Then I took from my library (containing only *real* viruses) the same viruses that the program claimed to have created. The total number of viruses is 70. There are some reasons why I took only 70 viruses: a) The Virus Simulator 2c was programmed some years ago (again, the date of the executable file is 6 Aug 1991). At that time there were not so many viruses as today (reading from a VTC report, in february 1991 not more than 150 IBM/PC viruses were known). b) The program doesn't call the viruses with the CARO naming standard, and most of the times only the family name is provided. I really cannot know which variant does it mean when it creates the "Vienna/Violator" simulation... If Mr. Rosenthal could provide more exact names, I would be able to add more viruses to the test. Ok, now to the AV products used for the test: Name Version Date (MM/DD/YY) Producer =-----------------------------------------------------------= AntiVir IV (AVScan) 1.64 08/03/94 H+BEDV GmbH. AV Toolkit Pro (-V) 2.00e 07/13/94 KAMI Ltd. AVTK (Findviru) 6.6 05/11/94 S&S Int. Ltd. F-Prot 2.13a 07/27/94 Frisk Soft. Int. IBM Antivirus/DOS 1.06 07/11/94 IBM Corp. Integrity Master 2.22a 05/25/94 Stiller Research Sweep 2.64 08/01/94 Sophos Plc TBAV (TbScan) 6.22 07/11/94 ESaSS BV Virex PC (VPCScan) 2.94 07/05/94 Datawatch Corp. VirusScan 2.1.0 07/18/94 McAfee Inc. You can find more information in the TESTINFO.ZIP archive, available at all oru distribution sites. And here the results of the two tests. First of all, I tested the products like the users that use Mr. Rosenthal's program would do: with the "simulated viruses". | Antivirus | % of simulations detected | | product | as infected | | =----------------+-----------------------------+--= | AVScan 1.64 | 98 % | | =----------------+-----------------------------+--= | AVP 2.00e | 0 % | | =----------------+-----------------------------+--= | Findviru 6.6 | 0 % | | =----------------+-----------------------------+--= | F-Prot 2.13a | 71 % | | =----------------+-----------------------------+--= | IBMAV 1.06 | 55 % | | =----------------+-----------------------------+--= | I-Master 2.22a | 100 % | | =----------------+-----------------------------+--= | Sweep 2.64 | 60 % | | =----------------+-----------------------------+--= | TbScan 6.22 | 42 % | | =----------------+-----------------------------+--= | VPCScan 2.94 | 100 % | | =----------------+-----------------------------+--= | VirusScan 2.1.0| 45 % | | =----------------+-----------------------------+--= Note: although the final report of F-Prot stated that there were infected files, the message I received was always "Destroyed by the VCL virus". So, which one performed better? Which one seems to be an "unreliable" antivirus? Here's the final list (1 = better, 8 = worse): 1. Integrity Master aex aequo with Virex 2. AntiVir IV 3. F-Prot 4. Sweep 5. IBM AntiVirus 6. VirusScan 7. TbScan 8. AntiViral Toolkit Pro aex aequo with Dr. Solomon's AVTK Ok, now we'll see which are the *real* results, the ones I had after testing the same AV programs with *real* samples of the same viruses. | Antivirus |% of infected files correctly| | product | detected as infected | | =----------------+-----------------------------+--= | AVScan 1.64 | 100 % | | =----------------+-----------------------------+--= | AVP 2.00e | 100 % | | =----------------+-----------------------------+--= | Findviru 6.6 | 100 % | | =----------------+-----------------------------+--= | F-Prot 2.13a | 100 % | | =----------------+-----------------------------+--= | IBMAV 1.06 | 100 % | | =----------------+-----------------------------+--= | I-Master 2.22a | 99 % | | =----------------+-----------------------------+--= | Sweep 2.64 | 100 % | | =----------------+-----------------------------+--= | TbScan 6.22 | 100 % | | =----------------+-----------------------------+--= | VPCScan 2.94 | 99 % | | =----------------+-----------------------------+--= | VirusScan 2.1.0| 96 % | | =----------------+-----------------------------+--= Yes, all AV products had an excellent score. This because all the viruses, as I already stated before, are very old, and (almost) all AV programs should now detect them. I don't waste time typing the list: you all have seen that the results are a little different than the ones showed above. Almost all AV products with a bad performance on the "simulated-viruses" test, had a very good performance in the *real* test. IMPORTANT: The aim of this test isn't showing which AV is better, but how the files created by Mr. Rosenthal's "Virus Simulator" aren't suitable for AV-testing. Seventy viruses aren't enough for a real AV test. If you wish to see which AV performed better in our tests, please refer to the General Antivirus Test. Anti-flame: I showed with *facts* that Mr. Rosenthal's "Virus Simulator" isn't very good at all to test AV software. If someone likes to reply to this test, I ask she/he to bring facts, not only words. Last thing. Let's think for a moment that the "Virus Simulator" creates real viruses that can be used for testing purposes, let's think that Mr. Rosenthal is right and that his program is suitable for all users who wish to test their AV programs. There will be another false step: all AV products will have a 99 - 100 % score! The viruses (simulations) generated by the program are too old to be used for testing purposes! Almost all AV products will detect them. How will the user be able to choose between a program that detects all viruses and another one that detects the whole collection too?? Right. Here's the test-set of the viruses used for this test (to allow other researchers to check my results) according to the CARO naming standard: Alabama.A; Ambulance.A; Amoeba.A; Armagedon.1079.A; Black_Monday.1055.A; Carioca.A; Cascade.1704.C; Cascade.1704.Formiche; Dark_Avenger.1800.A; Darth_Vader.344.A; DataLock.920.A; Devil's_Dance.A; Diamond.1024.A; Diamond.Greemlin; Diamond.Lucifer; Dir.691; Flip.2153.A; Friday_13.416.A; Frodo.Frodo.A; Frodo.Fish6.A; Guppy.A; Halloechen.A; Hymn.Hymn.A; ItaVir; Jerusalem.1808.A; Jerusalem.AntiCAD.2900.Plastique.A; Jerusalem.AntiCAD.4096.A; Jerusalem.Fu_Manchu.B; Jerusalem.Solano.Subliminal.A; Jerusalem.Sunday.A; Jerusalem.Sunday_II.A; July13th.1201; June16th; Keypress.1232.A; Kukac.Turbo; Lehigh; Leprosy.Plague; Liberty.2857.A; Little_Pieces; Murphy.1480.A; Nomenklatura.A; Ontario.512.A; Paris; Pixel.847.Pixel; Raubkopie; Russian_Mirror.A; Staf; Star_Dot.600; Star_Dot.801; Suomi; Suriv.1_01.April_1st.A; SVC.3103.A; Sylvia.1332.A; SysLock.Macho.A; Tenbytes.1554.A; Tequila; Tiny_family.133; Traceback.2930; Vacsina.TP-06; Vacsina.TP-23; Vacsina.TP-24; Vcomm.637.A; Vienna.Stone-90; VirDem.1336.German.A; Voronezh.1600; Whale.00; Wolfman.A; XA1; Yankee_Doodle.TP-44.A; Zero_Bug.A Note: I haven't tested the other two features of the "Virus Simulator" (boot viruses simulations and TSR signatures). If there's enough request I'll do it. This test will soon be available at our distribution sites in the SIMTEST.ZIP archive. Best Regards, Luca Sambucci + . . + . . * . . + . . + * * Luca Sambucci luca.sambucci@ntgate.unisg.ch . . . . . . . . . * . Italian Computer Antivirus Research Organization . + . . . . . . * Iterum rudit leo . + ------------------ - -----BEGIN PGP SIGNATURE----- Version: 2.3a iQCVAgUBLl1GwuZQNzkHaA4JAQHcWwQAuChaVADrRYm6eC2NLzouiZ1ekje5YYL9 Y1zsLpmQzE0+13teDd6T/APoPTekIMPaTHl7To/aHlCQasgqRfAECJsa6FVFn1l6 VYUKEXZvZk62jgY8RtZw9GS/flbtWkDkNFrNP6UosLdbIztS1He9loZ7B7yurqGc +aTVGhhSv54= =ZvEc - -----END PGP SIGNATURE----- ------------------------------ End of VIRUS-L Digest [Volume 7 Issue 79] *****************************************