VIRUS-L Digest Wednesday, 12 Oct 1994 Volume 7 : Issue 82 Today's Topics: virus in jpgs Re: Netcom distributing viruses Re: delphi virus? Do you have a list of all viruses Re: Re| Viruses = Commercial Opportunity? Re: 386/486 virus protection(UNIX) HELP!! w/ TSR Virus and Stacker (PC) HELP with form virus / FAQ (PC) Re: BSVs and F-PROT/VIRSTOP (PC) Re: VIRUS INFECTION - (PC) Ohio and Filer virii (PC) NATAS false positive and WPWIN6.0a (PC) Noint Virus/Stoned-3 (PC) Re: HELP!! w/ TSR Virus and Stacker (PC) New Stoned Virus? (PC) On exchanging viruses via BBSs (PC) Video virus? (PC) Help Win 32 Bit File Virus? (PC) VIRUS INFECTION - (PC) Re: Smeg viruses (PC) Re: How to Remove a swiss virus from the partition table? (PC) What's McAfee's Latest Version (PC) HELP!! w/ TSR Virus and S (PC) Re: Update...WPWIN6.0a and NATAS (PC) HELP! My PC seems to be infected. (PC) Can Joshi do this (PC)? Whisper - Tai_Pan virus (PC) NATAS information wanted (PC) Need Help with Stoned Virus (PC) checksums changing (PC) File "NOMORE" found in ramdisk - what virus? (PC) SCAN 2.1.0 and FORM_A (PC) SCAN 2.1.0 -> False alerts ? (PC) Re: Fixing the boot sector of a floppy? (PC) Re: HELP!! w/ TSR Virus and Stacker (PC) Press Conference Re: Virus simulators Virus simulators Rosenthal Simulator (again) The Tamper-Proof Virus Simulator Rosenthal Virus Simulator (VIRSIM2C.ZIP) (PC) Re: Rosenthal Virus Simulator VIRSIM2C.ZIP (PC) Re: Rosenthal Virus Simulator VIRSIM2C.ZIP (PC) Re: Rosenthal Virus Simulator VIRSIM2C.ZIP (PC) Rosenthal Virus Simulator (VIRSIM2C.ZIP) (PC) Re: Rosenthal Virus Simulator (VIRSIM2C.ZIP) (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CORSA.UCR.EDU (IP number 138.23.166.133) or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CORSA.UCR.EDU. Administrative mail (e.g., comments, suggestions, beer recipes) should be sent to me at: krvw@ASSIST.MIL. All submissions should be sent to: VIRUS-L@Lehigh.edu. Ken van Wyk ---------------------------------------------------------------------- Date: Sat, 24 Sep 94 19:31:41 -0400 From: Iolo Davidson Subject: virus in jpgs In article <0006.9409231309.AA16142@bull-run.assist.mil> kauffner@seaotter.micro.umn.edu "Peter Kauffner" writes: > I have a virus infection which F-Prot detects as > "Stoned.NoInt.A". McAfee detects it as "NO INT". Norton said it > was a Chinese something or other. This is a boot/partition sector infector. Where do the AV progs say they find it? > The only exposure to unscanned files that my PC has had in the > last several months is JPEG and GIF files downloaded off of > Usenet. Is that a plausible source for this type of infection? No. You don't catch this from files at all. You get it by trying (usually inadvertantly) to boot from an infected floppy disk. > I haven't noticed any virus symptoms yet, even though the virus > must have been in my machine for at least a month or two before I > discovered it. Does anyone know what the symptoms of this > particular virus are? My operating system is DR DOS 6.0. This is a stealth virus with no deliberate payload. Presumably you have used Fprot to get rid of it? - -- THE TIME IS WHEN YOU'RE TO START OFFERED A SUBSTITUTE A REAL DISPUTE Burma Shave ------------------------------ Date: Sun, 25 Sep 94 11:01:04 -0400 From: iandoug@cybernet.za (Ian Douglas) Subject: Re: Netcom distributing viruses Yaron Y. Goland (ygoland@hollywood.cinenet.net) wrote: > Because viruses are basically text any licensing of their distribution is > equivalent of licensing freedom of speech. It is easy to license people's > right to drive as a physical object is involved. But viruses are nebulous > entities whose very definition has caused years of acrimonious debate. It > seems simple to say 'anyone who releases a virus to an irresponsible > person should be held legally liable' but its practical effect is > horrifying. It means that every time one utters a phrase or a word one is > put in very real jeopardy of being legally liable beyond the usual > liabilities for uttering falsehoods. Plans for nuclear bombs are also 'basically text'. Should these also be freely available? How about some secret Mossad files? You see, the argument that restrictions on viruses impinge on the freedom of speech firstly assumes that all speech is of equal value and importance. It is not. Secondly, there is no such thing as freedom of speech, because it is always balanced by restrictions imposed for the sake of responsibility. The vX crowd attempt to duck the responsibility bit. We wish to remind them of it. How come viruses are NOT 'a physical object'? Surely a file is an object, it exists... Cheers, Ian - -- - ----------------------------------------------------------------------------- Ian Douglas Lead, Follow, 34 InterNet: iandoug@cybernet.za P.O. Box 484 or get out of 1,73 FidoNet: 5:7102/119 7532 Sanlamhof the way. 57 TopNet: 225:2048/1 South Africa (Ted Turner, CNN) INTB PGP key available. - ----------------------------------------------------------------------------- ------------------------------ Date: Mon, 26 Sep 94 01:43:10 -0400 From: kenney@netcom.com (Kevin Kenney) Subject: Re: delphi virus? Actually, I had this text-to-gibberish happen here at netcom. It turned out that my communication program's terminal emulation was set to seven bit instead of eight. A hex eighty-something character would come across (possibly due to line noise or a sent delete or macro key sequence), the top bit would get stripped, and the low-order value became a terminal control code, notiably to swap character sets. The problem went away as soon as I changed to eight-bit characters in my comm. program. Happy Hunting - KpK ------------------------------ Date: Tue, 27 Sep 94 02:25:47 -0400 From: Eric-Ho@cuhk.hk (Eric Ho) Subject: Do you have a list of all viruses Do you have a list of all viruses known. Or the longest list you think. Would like to study about that. - --------------------------------------------- Why does 1 plus 2 become 3? - --------------------------------------------- ------------------------------ Date: Tue, 27 Sep 94 14:30:31 -0400 From: padgett@141.240.2.145 (Padgett 0sirius) Subject: Re: Re| Viruses = Commercial Opportunity? In article <0006.9409221411.AA14635@bull-run.assist.mil> bontchev@fbihh.informatik.uni-ha mburg.de (Vesselin Bontchev) writes: >As a beginning, one should be able to checksum the whole files. Also, >the checksum algorithm should be somehow seeded as to produce >different checksums for the different installations - even if one and >the same file is checksummed. It should also be modified to withstand >the attacks mentioned in my paper about the attacks against integrity >checkers. There are *many* other things that have to be improved. Vesselin was talking about NAV however it is interesting to note that there was a product developed in 1990 that did all of these things and is *still* effective today even though development stopped some time ago and I am not even sure if it is still available. The product was PCVirusafe from Enigma Logic and even now it is one of the few such products that can load from either Autoexec.Bat or Config.Sys. Unfortunately it was never mass-marketed. A. Padgett Peterson, P.E. Cybernetic Psychophysicist We also walk dogs PGP 2.4 Public Key Available ------------------------------ Date: Fri, 23 Sep 94 15:52:45 -0400 From: datadec@corsa.ucr.edu (Kevin Marcus) Subject: Re: 386/486 virus protection(UNIX) In article <0007.9409221411.AA14635@bull-run.assist.mil>, Vesselin Bontchev wrote: >Minix - probably, yes. However, I am pretty sure that diskettes >formatted for Apple ][+ will not be infectable on an IBM PC. Are you sure about that? The overall media is the same thing, and I don't think that INT 13h calls care about the BPB at all. I would imagien it would still be read/writeable. WHy do you think this? - -- - --> Kevin Marcus, Computer Science Dept., University of California, Riverside Email: datadec@cs.ucr.edu. "Two types of programs do CALL ; POP . They are viruses and a good chunk of DOS programs. Down with MicroSloth." ------------------------------ Date: Fri, 23 Sep 94 15:22:23 -0400 From: Iolo Davidson Subject: HELP!! w/ TSR Virus and Stacker (PC) In article <0011.9409221411.AA14635@bull-run.assist.mil> bbecke1@umbc.edu "Bryan M. Becker" writes: > I have Stacker on my hard drive. I also have the Liberty Virus there > too. The Liberty Virus is a TSR virus that effects .com and .exe files > when they are executed. > > If I boot from a disk without the Stacker driver, I can only see some of > my hard drive. So I need the driver to see all of the hard drive. When > I boot from the disk stacker must swap drives. Now the virus is loaded > into memory and I haven't done anything. I run scanners from my floppy > and it tells me that a virus is loaded into memory. > > I have no idea what to do. I've tried everything I can think of!! Can > anyone please help? What you need to do is prepare a floppy boot disk with the necessary driver(s) to mount the Stacker drive(s) from a floppy boot. Unfortunately, you need to do this *before* you get your hard disk infected, and it is now too late to do it on the infected machine, because you will infect everything on the floppy disk. Can you make a boot floppy, with the drivers, on an uninfected machine? No? Maybe you can boot from a clean floppy and somehow get the drivers on to it from the Stacker distribution disks without infecting the boot floppy or distribution disks, but it isn't really a job for someone not familiar with the risks. This is another good reason not to use disk doublers, or if you do, to take the advice about being prepared in advance which you ought to find in your anti-virus software docs. I think you will need professional help to recover now. - -- THE TIME IS WHEN YOU'RE TO START OFFERED A SUBSTITUTE A REAL DISPUTE Burma Shave ------------------------------ Date: Fri, 23 Sep 94 15:22:27 -0400 From: Iolo Davidson Subject: HELP with form virus / FAQ (PC) In article <0022.9409221411.AA14635@bull-run.assist.mil> walts@gate.net "Walter Scrivens" writes: > I recently had an infection of the form virus on some > workstations on my LAN. We cleaned it, and several weeks later > it reappeared (and has been cleaned again) You get infected by booting, or trying to boot, from an infected floppy. It will keep coming back until you find, and clean, all the infected floppies. Especially the one that so-and-so usually keeps at home and thinks doesn't count because it only has some word processor files on it. Check the "blank" ones too. - -- THE TIME IS WHEN YOU'RE TO START OFFERED A SUBSTITUTE A REAL DISPUTE Burma Shave ------------------------------ Date: Fri, 23 Sep 94 17:16:42 -0400 From: tracker@netcom.com (Craig) Subject: Re: BSVs and F-PROT/VIRSTOP (PC) Randy Ridgely (datos@crl.com) wrote: : a site license for F-PROT. I haven't received a reply, so I figure if : he's too busy to reply to a question involving money, he's too busy to : answer freebies. I'm trying to dig myself out from under an infection My same experience, too. I sent him e-mail in the past and he's ignored it. How can he expect potential customers to want to buy big site licenses if he doesn't acknowledge e-mail. I've seen posts in the past from site license customers of his [i.e from big colleges, etc.] and he's done the same thing to them. Craig - -- =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*= // Only believe in quality: \\ \\ 1)AT&T, Motorola/Codex, Multi-Tech, // // Telebit, ZyXEL. \\ \\ 2)Untouchable, Dr. Solomon's AVTK, // // AVP, F-Prot, TBAV. \\ =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*= ------------------------------ Date: Fri, 23 Sep 94 18:03:54 -0400 From: jmccarty@spd.dsccc.com (Mike McCarty) Subject: Re: VIRUS INFECTION - (PC) In article <0044.9409231309.AA16142@bull-run.assist.mil>, Brian Warner wrote: [stuff about keyboard giving bad keystrokes deleted] )I thin4 my pc might be infected with a virus. My virus checher dosn't detect )anything, but I have some strange symptoms. Three of my 4eys are returning I hope I am not talking down to you, or mentioning something which is too obvious. At my college, I once helped a woman who could not start her car. A security guard had connected jumper cables, and she -still- could not start it. I noticed that the transmission was in drive. That fixed everything. She was not unintelligent, just overlooked something obvious. You probably need a new keyboard. Turn off your machine, and another one with a known good keyboard. Swap keyboards, and turn on both machines. If the symptoms change computers, you need a new keyboard. Mike - ---- char *p="char *p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);} ------------------------------ Date: Fri, 23 Sep 94 18:41:43 -0400 From: ar268@freenet.carleton.ca (Ajay S. Kumar) Subject: Ohio and Filer virii (PC) Hi. I recently ran my virus detection program and the response was that both the Filler and Ohio virus are found in memory and that my hard disk has been infected. I'm goin to re-install dos as soon as i can but can anyone tell me anything about these virii and if i can be rid of them entirely? Thanks for any help, Ajay - -- - ---------------------------------------------------------------------------- | A closeness to nature is the only that can open the doors to innocence. | | I dont think enough. Therefore I die. Teach me to die and i will call | | you my friend. Teach me to think and i will call you my God. | ------------------------------ Date: Fri, 23 Sep 94 20:04:54 -0400 From: Caroline Ferguson Subject: NATAS false positive and WPWIN6.0a (PC) The poster who was having a problem with a false positive for the NATAS virus and Vi-Spy should make sure he is using the current version of the product. The previous release did have a problem with false positives for the NATAS virus. This has been fixed with the current release of Vi-Spy. The current version is VI-SPY 12.0 RELEASE 08.94A. Hope this helps... Caroline Ferguson Univ. of PA. ------------------------------ Date: Fri, 23 Sep 94 23:10:34 -0400 From: jonathanjh@aol.com (JonathanjH) Subject: Noint Virus/Stoned-3 (PC) On a disk at work today, I found it was infected with the Stoned-3 virus, which was in the boot sector. It's a 3 1/2 inch disk. What does this virus do? How harmful is it? Also, on a PC, we found it was infected with a virus called the Noint virus. What does this one do, and how harmful is it? How do you get rid of them? The virus detector program we used was one that was shipped with one of our other computers, Chipaway Viruses by Trend Micro Devices Inc. Is this a good program? If not, what is currently the best virus detecotr to use? I know these questions sound basic, but I'm new to this group, and in about 6 years of being involved with PCs of one kind or another, this is the first time I've ever come across a virus. Any answers will be appreciated. Thank you. JonathanJh@aol.com ------------------------------ Date: Sat, 24 Sep 94 00:03:01 -0400 From: datadec@corsa.ucr.edu (Kevin Marcus) Subject: Re: HELP!! w/ TSR Virus and Stacker (PC) In article <0011.9409221411.AA14635@bull-run.assist.mil>, Bryan M. Becker wrote: >Can someone please help me, > >I have Stacker on my hard drive. I also have the Liberty Virus there >too. The Liberty Virus is a TSR virus that effects .com and .exe files >when they are executed. > >If I boot from a disk without the Stacker driver, I can only see some of >my hard drive. So I need the driver to see all of the hard drive. When >I boot from the disk stacker must swap drives. Now the virus is loaded >into memory and I haven't done anything. I run scanners from my floppy >and it tells me that a virus is loaded into memory. > >I have no idea what to do. I've tried everything I can think of!! Can >anyone please help? Well, I must say that is has been quite awhile since I have actually used Stacker. However, it sounds like either your command.com is infected, or a stacker driver of some sort is infected. WHat I woudl suggest, is that you boot up from a clean disk, replace your stacker directory with clean copies, as well as your command.com, and any other things you might run in your autoexec.bat and/or config.sys files. Reboot up, off your hard drive, and if you ran something fromt he stacker side of the scene, then remove those from whatever is being loaded up by stacker on bootup so that the virus isn't in memory. Then you need to reboot and then you can scan your system as you normally would. - -- - --> Kevin Marcus, Computer Science Dept., University of California, Riverside Email: datadec@cs.ucr.edu. "Two types of programs do CALL ; POP . They are viruses and a good chunk of DOS programs. Down with MicroSloth." ------------------------------ Date: Sat, 24 Sep 94 19:30:18 -0400 From: Iolo Davidson Subject: New Stoned Virus? (PC) In article <0017.9409231309.AA16142@bull-run.assist.mil> hewitson@hickory.egs.uct.ac.za "Bruce Hewitson" writes: > .procedures for copying MBR over deleted.... > > I have a problem when I try this...my hardrive is dblspaced > (dos 6.2) and when I boot off a clean floppy, I cannot access c: > > Any ideas... What do you mean by "cannot access"? If you get "invalid drive" then this could be because the virus has overwritten or scrambled the partition table, in which case you definitely don't want to use FDISK /MBR. Or it could be because you booted with an old version of DOS (like 3.3) which cannot recognize drive volumes larger than 32 megabytes. If you can do a DIR on C:, but it just doesn't display the files you expect to see, that is doublespace working. Pain in the behind, huh? I wouldn't use it, for this reason alone. In this case you need a boot disk that will run the doublespace driver, or something along those lines. - -- THE TIME IS WHEN YOU'RE TO START OFFERED A SUBSTITUTE A REAL DISPUTE Burma Shave ------------------------------ Date: Sat, 24 Sep 94 19:34:26 -0400 From: Iolo Davidson Subject: On exchanging viruses via BBSs (PC) In article <0031.9409231309.AA16142@bull-run.assist.mil> hubak@elf.stuba.sk "Peter Hubinsky" writes: > BTW it looks, that there is need for virus simulation > product existing in PC community - I profoundly disagree. Such a thing can do nothing but mislead. > why didn't you create anything better by yourself? The implementation is not the problem. The basic concept is nonsense. - -- THE TIME IS WHEN YOU'RE TO START OFFERED A SUBSTITUTE A REAL DISPUTE Burma Shave ------------------------------ Date: Sat, 24 Sep 94 19:35:48 -0400 From: Iolo Davidson Subject: Video virus? (PC) In article <0036.9409231309.AA16142@bull-run.assist.mil> chris584@aol.com "Chris584" writes: > We have lost several monitors in the past month, and have read > that there are viruses which can alter frequencies or voltages > sent to the monitor or video card. Please advise whether this is > true, Urban myth. > how to detect such a virus, whether standard > virus detection packages can detect such a virus, etc. Standard? You need something better than that, a top anti-virus package with regular updates. But it won't stop your monitors going down. - -- THE TIME IS WHEN YOU'RE TO START OFFERED A SUBSTITUTE A REAL DISPUTE Burma Shave ------------------------------ Date: Sat, 24 Sep 94 19:37:11 -0400 From: Iolo Davidson Subject: Help Win 32 Bit File Virus? (PC) In article <0034.9409231309.AA16142@bull-run.assist.mil> a0631vdc@c1.cc.univie.ac.at "Gerhard Kluenger" writes: > Any idea if - and what kind of - virus this might be? A boot/partition sector virus. Don't think it needs to be a particular one to give these symptoms. > What I wonder is, that my IBM-AV (about 8 month old version) > shield didn't say anything, when I used this diskette the first > time to tranfer an AMI-PRO textfile from a friend. (After this I > forgot it in the drive and next time powering on I got the > troubles described before). In the last eight months, over a thousand new viruses have appeared. Your last sentence is the classic way of catching a boot sector virus. Your friend probably has it too. - -- THE TIME IS WHEN YOU'RE TO START OFFERED A SUBSTITUTE A REAL DISPUTE Burma Shave ------------------------------ Date: Sat, 24 Sep 94 19:38:33 -0400 From: Iolo Davidson Subject: VIRUS INFECTION - (PC) In article <0044.9409231309.AA16142@bull-run.assist.mil> bpwarner@csupomona.edu "Brian Warner" writes: > I thin4 my pc might be infected with a virus. My virus checher > dosn't detect anything, but I have some strange symptoms. Three > of my 4eys are returning incorect va5ues, as you can see. 5 and > 4 are two examp5es of said errors. There are viruses that play such keyboard tricks, though I haven't heard of this exact symptom. You don't say which AV you have used or how old it is. You need an up to date copy of something capable. Fprot is easy to obtain and better than most. > I have thought about bootinig my pc from drive a, but that dosn't > wor4 - It continues booting on drive C:, ignoring the boot dis4 > in drive A:. It is probably set up to boot only from C: in the BIOS setup. You ought to change this if you want to go virus hunting, as most AV scanners advise starting from a clean floppy boot. - -- THE TIME IS WHEN YOU'RE TO START OFFERED A SUBSTITUTE A REAL DISPUTE Burma Shave ------------------------------ Date: Sat, 24 Sep 94 20:40:06 -0400 From: rshea@netcom.com (Rex Sheasby) Subject: Re: Smeg viruses (PC) In article <0030.9409221411.AA14635@bull-run.assist.mil>, bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) wrote: > Rex Sheasby (rshea@netcom.com) writes: > > > proprietary HD commands (commands not in the IDE spec) to overwrite areas > > of the disk essential to its operation. A jumper to disable this possibility > > users would call a disk that had to be returned to the factory repair center > > 'damaged', I suspect. > > First, the fact that the users do not know how to deal with the > software damage does not mean that the hardware has been damaged. [elided] Will you volunteer to explain to users why their "undamaged" drive must be returned to the vendor? Perhaps i wasn't clear. On this particular drive, it is possible to overwrite firmware on the media. The users _cannot_ deal with the problem if the proprietary firmware on the platter is overwritten. Neither can a HD refurb facility. The drive cannot be used. It is highly unlikely anyone without access to proprietary information will be able to restore it. Effectively, it is as dead as it would be with a servo head crash on a dedicated servo platter drive. All the user's data is still there, undamaged, but it may as well be on the moon. The user is not going to recover it, and the drive will not work again. > Second, the modern IDE drives are usually "idiot-proof" in the sense > that they simply do not allow the user to write to those areas of the > disk where it could damage the hard disk. Well, i don't have access to the design team for other drives, so i cannot address "usually". I do know there are several drives from this vendor that have this potential, and have since gotten the opinion from the person on the design team that it is likely at least some drives from other vendors have the same potential problem. However, in the case mentioned above some of the firmware is on the media, and _is_ accessible from software. It can be written to. That's why we were discussing modifying the logic board design to add a jumper that would disable this possibility. > Therefore, I stand by my original claim - all those rumors are either > urban legends, or based on deffective and/or obsolete hardware. The case I mention is not a rumor. I've known the person on the design team well for about 30 years. The design is new, obviously not obsolete. Defective? The design team doesn't think so. They were aware of the potential problem. The person I discussed the problem with was in a position to have had the design altered. The decision was made that it was not cost effective to modify the logic board at that stage in the design process. My conclusion, based on personal knowledge, not speculation, is that it is possible (though very unlikely) for software to effectively kill some modern HDs. Moreover, software that did this might well not be discovered for a long time, because the normal conclusion of the repair facility would be that the HDA was defective. It is also possible that the malicious software could write a time bomb to the drive firmware, and then erase itself from a floppy as the Gold-bug virus does. It's quite possible such software would never be discovered to be responsible for HDA "failures" that happened long afterwards. The problem would have to become common enough that the vendor investigated why these drives were failing so often. If the time bomb were written cleverly, it could take some time before the vendor was able to determine just what caused the firmware to be damaged. Then they would face the problem of discovering what software had inserted the trojan. Since it would no longer be on the floppy, even careful search of all the floppies that had been in the machine would not reveal the source of the problem. The same technique could be used to write code to the firmware that would drop a virus into programs on the disk at odd intervals. It would be very frustrating to deal with a virus that kept reappearing despite the most stringent measures to attempt to prevent it. A low level format would be useless, of course. While I would readily bet that such software will not be written anytime soon, the possibility does exist. Regards, rex ------------------------------ Date: Sat, 24 Sep 94 21:19:18 -0400 From: datadec@corsa.ucr.edu (Kevin Marcus) Subject: Re: How to Remove a swiss virus from the partition table? (PC) In article <0023.9409231309.AA16142@bull-run.assist.mil>, Tony Castillo wrote: >Good day, > > No, I'm not having a good day... Just want to ask everyone on how >I can remove a swiss virus from the Partition table without low leverl >formating the hard-disk... It there any virus cleaner that can be able >to remove it from the partition table. > > Will appreciate any help or advice you can give to me... Do you know the exact name of the virus? The only "Swiss.xxxx" viruses I have seen were very small, I seem to remember a Swiss.143. For sure, this was not a boot sector infector. If you are running DOS 5.0+, then you might have a bit of luck removing the virus by doing the following: 1) Boot from a known clean write protected system disk that has a copy of fdisk.exe on it. 2) type, "dir C:". If it says, "Invalid Drive Specification", then stop. 3) If it gave you a directory of drive C:, then type, "fdisk /mbr". If this is a *BOOT SECTOR* infector vs. an MBR infector, then the generic disinfection would be the same as above, except "fdisk /mbr" would become "sys c:". (Of course, you need a copy of sys on your clean disk...) Which scanner alerted you to the name of Swiss? Or did you just make it up? Or? - -- - --> Kevin Marcus, Computer Science Dept., University of California, Riverside Email: datadec@cs.ucr.edu. "Two types of programs do CALL ; POP . They are viruses and a good chunk of DOS programs. Down with MicroSloth." ------------------------------ Date: Sat, 24 Sep 94 22:50:27 -0400 From: jamaican@garnet.msen.com (Dwight Hugget) Subject: What's McAfee's Latest Version (PC) What's the latest version of McAfee's scan program ? I just read about a beta (2.0). Can I trust this beta ??? thanks ------------------------------ Date: Sun, 25 Sep 94 13:17:57 -0400 From: roger.ertesvaag@thcave.bbs.no (Roger Ertesvaag) Subject: HELP!! w/ TSR Virus and S (PC) * In a message to All on 09-22-94, Bryan M. Becker said: BMB> If I boot from a disk without the Stacker driver, I can only see some of BMB> my hard drive. So I need the driver to see all of the hard drive. When BMB> I boot from the disk stacker must swap drives. Now the virus is loaded BMB> into memory and I haven't done anything. I run scanners from my floppy BMB> and it tells me that a virus is loaded into memory. To access a stacked drive when booting from a floppy, you need to include these lines in your config.sys. DEVICE = STACKER.COM /P=1 C:\STACVOL.DSK DEVICE = SSWAP.COM C:\STACVOL.DSK /SYNC+ I think your problem is that you are running stacker.com and sswap.com from the hard drive, and that one or both of these are infected. BMB> I have no idea what to do. I've tried everything I can think of!! Can BMB> anyone please help? You need to get clean copies of stacker.com and sswap.com, put them on your boot floppy and change your config.sys so that these are used. Alternatively you could boot without these drivers, and replace them on the hard disk. RogEr -=-=-=[ roger.ertesvaag@thcave.bbs.no ]=-=-=- - --- > SPEED 2.0c #1486 > I've told you MILLIONS of times, don't exaggerate! - ---- +-----------------------------------------------------------------------+ + Thunderball Cave BBS +47 2256 7018 / 2256 8809 (USR V.FC / V.FAST) + + -- thcave.bbs.no -- Oslo Norway -- + +-----------------------------------------------------------------------+ ------------------------------ Date: Sun, 25 Sep 94 17:20:11 -0400 From: maven@kauri.vuw.ac.nz (Jim Baltaxe) Subject: Re: Update...WPWIN6.0a and NATAS (PC) In article <0010.9409221411.AA14635@bull-run.assist.mil>, Baryn Yoon wrote: >..... It is possible that Vi-Spy is detecting [WPWin6] >incorrectly. Other people have confirmed that Vi-Spy detects NATAS >on WPWIN6.0a files on Install Disk 5. > >Can anyone verify whether Vi-Spy is "flaky" or if WP is at fault? I am not sure whether WP _could_ be "at fault" in this sort of situation, since it is the responsibility of the AV software to read the applications correctly. The general app. certainly shouldn't have to worry about the AV utility. If it did, that would present an enormous hole for any virus writer. So much for philosophical platitudes. I can tell you that I have been using just about every version of WordPerfect with a number of AV packages (primarily F-Prot in fact) and I have never had any problems with any of them - other than the occasional real infection which could be easily removed. I would "blame" Vi-Spy if anything. - -- Jim Baltaxe - ITS, a consultant - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= There are some days when I can't be sure whether life is trying to pass me by or trying to run me over. ------------------------------ Date: Mon, 26 Sep 94 09:35:44 -0400 From: e94mc@efd.lth.se (Magnus Carstam) Subject: HELP! My PC seems to be infected. (PC) HELP. My PC seems to be infected but I can't remove the virus, if there is one. I've had vscan 1.17 checking and once out of 10 times it found MtE in a file. I have not seen the virus since. But the virus was in the file called 386swp or something in windows directory. If it would have been the only infected file it must have been there from the beginning. Vscan 2.10 didn't find anything. Sympthoms: Clock is dragging behind. Speed seems to be reduced. Scandisk (ms) notices a few corrupted files and have twice found large dataparts not connected with anything. Files with names like: aabbbjju or something like it (I don't remember the extension) is to be found around the Hd each one taking up the taking up 0k of space. I don't know if this is anything but I've heard of a virus called cascade and a checker of IRQ has given the following results IRQ2 Cascade -> IRQ9 IRQ9 Cascade -> IRQ2. Equipment: 486dx2-66 Compaq. (1.8Gb scsi-2 D:) (212Mb IDE C:) 12Mb memory (SB16 SCSI-2) ------------------------------ Date: Mon, 26 Sep 94 15:05:27 +0000 From: tskunka@rs6000.cmp.ilstu.edu (Tom Kunka) Subject: Can Joshi do this (PC)? Here is the situation... In one of my labs, we ran across a virus called Joshi. I had not seen it so I tried to infect a test machine with with virus so that I could disinfect the diskette our patron was using. We use F-Prot 2.13 or 2.14. I did this and everything was fine on the disk...virus gone. The machine I infected by trying to boot with the infected disk was not so fine. The machine will now not boot from the hard drive. I used f-disk and formatted the drive...no go! I can boot from floppy and everything is in order on the hard drive...no viruses! We have had another machine recently do the same thing. Is this the result of the virus? Was it just a fluke that the drive failed? The machine (486-33, 12MB RAM, DOS 5.0) Thanx for any help....tk - -- "Complex problems often have the luxury Thomas Shawn Kunka of having the simplest solutions. Take a \0 Academic Computing step back and they appear like magic." |\ Illinois State University tk /\ http://www.ilstu.edu/ ------------------------------ Date: Mon, 26 Sep 94 15:27:44 -0400 From: sborduas@step.polymtl.ca (Simon Borduas) Subject: Whisper - Tai_Pan virus (PC) Hi folks, We seams to have in the Montreal area a whide spread infection of the Virus Whisper (McAfee's name) Tai Pan (F-Prot and Thunderbyte's name) This virus infect .exe and doesn't seams to damage files (The virus can be easely remove if recovery data have been save before the infection) Any information regarding this virus will be more then welcome. Simon Borduas sborduas@step.polymtl.ca ------------------------------ Date: Mon, 26 Sep 94 17:49:36 -0400 From: wormwood@netcom.com Subject: NATAS information wanted (PC) Can someone please e-mail me any info they have on NATAS? It seems to have attacked our entire university. PLEASE tell me anything you might know about it. We cant seem to clean it.. we are using McAfee 117b and it just keeps coming back. PLEASE help. E-mail me at wormwood@netcom.com or lt14%utep.bitnet@utepvm.ep.utexas.edu Thank your very much. P.S. is this virus dangerous? - -- FTP.NETCOM.COM pub/wormwood \ / \ X _/ _ _ _ _ _ _ _ __ ___ ___ __ \ / \ //\/_\ /\ /\\ X //X \| \____|\ /_\ /_ / //_ / /_/ / / / //\ / \/ \X_/\ \/ X \\/ \X_X_/|_/ |/ / \ /_ \//_ /_ / / / _/_ /_// \/ ------------------------------ Date: Mon, 26 Sep 94 21:42:31 -0400 From: ae684@freenet.carleton.ca (John Foulds) Subject: Need Help with Stoned Virus (PC) It popped up on my machine a few days ago, the one that gives the message "Your computer is now Stoned". I cleaned it off all the files but don't have the software to go into my partitiontable and get it out - when I run anti-virus utilities they tell me it's in there but nowhere else. It doesn't seem to be doing any damage. Does anyone know it I have to clean up the entrails of the virus in the partition table? - -------------------------------------------------------------------- John Foulds * This FreeNet is hard to log in to, so please excuse late replies * 420 Athlone Avenue.Westboro.Ottawa.Ontario.Canada.K1Z5M5.16137251322 - -------------------------------------------------------------------- ------------------------------ Date: Mon, 26 Sep 94 22:53:18 -0400 From: twheeler@ix.netcom.com (Tim Wheeler) Subject: checksums changing (PC) I am wondering why the check sums are changing on exe and com files? That is the only symptom that I have but what would do tihs? f-prot didn't find anything and ms reported the checksum problem. any explanation would be welcome Tim ------------------------------ Date: Tue, 27 Sep 94 08:21:37 -0400 From: fa5001@ccub.wlv.ac.uk (P.H.Hansen) Subject: File "NOMORE" found in ramdisk - what virus? (PC) I have found a file called "NOMORE" in my ramdisk. It's a laptop and it's c: drive is write protected. I think this virus tried to format the drive but as it's write protected it couldn't. Anyway neither f-prot nor scan has detected the virus. Which one can it be? And any suggestions on software that will let me turn off the write protect on the drive? Per Hansen ------------------------------ Date: Tue, 27 Sep 94 12:00:25 -0400 From: mfoss@sognsvn68.sio.uio.no (Marco Foss) Subject: SCAN 2.1.0 and FORM_A (PC) I recently encountered FORM_A on a few PC's in our network. To my dissapointment, SCAN /CLEAN was not able to remove it. A previous post mentioned FDISK /MBR to remove it from a harddisk, but surely it's removed just by using a clean boot-disk (sys c:) ? At least, thats what Patricia Hoffman tells me. (VSUM) and it worked for me. - --+-------------------------+--------------------------------------- Marco Foss | Voice: +47 22 18 75 63 | Fax: +47 22 18 75 30 SiO IT, OSLO, Norway | Email: edbmfo@sio25.uio.no - ----------------------------+--------------------------------------- ------------------------------ Date: Tue, 27 Sep 94 12:17:34 -0400 From: mfoss@sognsvn68.sio.uio.no (Marco Foss) Subject: SCAN 2.1.0 -> False alerts ? (PC) 1) PC boots up, connects to netware 3.12 server, and runs Mcaffee's VIRUSCAN 2.1.0 from the server. Scan reports TELECOM found in memory. Now, booting with a clean bootdisk and running scan.exe from the floppy results in nothing : No virus found. To verify this, latest version af F-Prot finds nothing, either. Well, repeating 1) again, and SCAN finds TELECOM again, while running F-Prot again does not find any viruses. What gives? I reckon that SCAN comes up with a false alert. Now, I'm no expert, so I just have to trust whatever these antivirus programs tell me, and since in this case I cannot know whats going on, does anybody know of lists or reports of "which programs trigger what antivirussoftware" falsely ? And, any recommendations as to what action I should take from here ? Thanks in advance - --+-------------------------+--------------------------------------- Marco Foss | Voice: +47 22 18 75 63 | Fax: +47 22 18 75 30 SiO IT, OSLO, Norway | Email: edbmfo@sio25.uio.no - ----------------------------+--------------------------------------- ------------------------------ Date: Tue, 27 Sep 94 14:35:32 -0400 From: padgett@141.240.2.145 (Padgett 0sirius) Subject: Re: Fixing the boot sector of a floppy? (PC) In article <0028.9409221411.AA14635@bull-run.assist.mil> bontchev@fbihh.informatik.uni-ha mburg.de (Vesselin Bontchev) writes: >> Been done. Dr. Solomon's has had a utility to clean floppy boots for >> years. My FixFBR (v2.1 is current) has been FreeWare for years and can repair floppy boot sectors. It even replaces the floppy boot sector with generic virus detection software that should it become infected and you boot from it, will tell you that you have a problem. A. Padgett Peterson, P.E. Cybernetic Psychophysicist We also walk dogs PGP 2.4 Public Key Available ------------------------------ Date: Tue, 27 Sep 94 17:02:55 -0400 From: preston@elvis.umd.umich.edu (don preston) Subject: Re: HELP!! w/ TSR Virus and Stacker (PC) Bryan M. Becker (bbecke1@umbc.edu) wrote: : Can someone please help me, : I have Stacker on my hard drive. I also have the Liberty Virus there : too. The Liberty Virus is a TSR virus that effects .com and .exe files : when they are executed. : If I boot from a disk without the Stacker driver, I can only see some of : my hard drive. So I need the driver to see all of the hard drive. When : I boot from the disk stacker must swap drives. Now the virus is loaded : into memory and I haven't done anything. I run scanners from my floppy : and it tells me that a virus is loaded into memory. : I have no idea what to do. I've tried everything I can think of!! Can : anyone please help? Assuming your COMMAND.COM is infecting your RAM..do this: 1) Boot from a clean floppy and copy your CONFIG.SYS and AUTOEXEC.BAT from drive C to the floppy. 2) Edit both files to be sure that the drive letter is specified on the lines where Stacker is loaded. ex: DEVICE=C:\STACKER\STACKER.COM - 3) Reboot from the floppy again. This should allow you to access your Stacker volume. EMAIL me with any more questions. preston@umdsun2.umd.umich.edu ------------------------------ Date: Sat, 24 Sep 94 01:04:52 -0400 From: wschwartau@delphi.com Subject: Press Conference F O R I M M E D I A T E R E L E A S E DISTRIBUTE WIDELY: The Future of the Internet is Secure! On October 11, 1994, The Internet Will Become A Safe Place To Do Business. Sidewinder: Internet Security That Strikes Back The Internet is a dangerous place. Ask anyone. * Between 85-97% of all computer break-ins go undetected. * Industrial espionage is up 400% since the late 1980's. * Hacker attacks increase exponentionally: * Over 1 million computer break-ins last year alone. * Theft of confidential information costs billions to Am erica's financial infrastructure * Privacy is almost nonexistent. Yet, the Internet is the fastest growing segment of the National Information Infrastructure. Over 20 million users and businesses conduct global affairs on the Internet today, and over 125 mil lion will by the year 2000. Join us to witness the technological breakthrough in inter- networking which finally makes the Internet a safe place to be. The future of the Internet is secure. Come see how. October 11, 1994 10:00 AM National Press Club Zenger Room 529 14St. NW Washington, DC 20045 _Continental Breakfast_ RSVP Presented by: Secure Computing Corporation 2675 Long Lake Road Roseville, MN 55112 For more information contact: Interpact, Inc. Winn Schwartau 813.393.6600 P00506@Psilink.Com Secure Computing: Kevin Sorensen 1.612.627.2800 1.800.692.LOCK Sorensen@Sctc.Com ------------------------------ Date: Sat, 24 Sep 94 05:42:25 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: Re: Virus simulators parvo@netcom.com (Breath me in...) writes: I wrote: >> >> 1) What do you mean by "virus simulators" ? Something that simulates >> the activation effects of some viruses or something else ? >> >> 2) Why do you need this...what is the purpose ? >Perhaps this person wants to see what particular viruses do (i.e. >their visual effects). Perhaps he/she is doing a demonstration or >presentation on viruses. Perhaps, yes...perhaps he means something that demonstrates a single virus, and perhaps he means something that simulates how viruses spread.....that was not clear from the original posting...and that was why I asked. >Regardless of the answer, in my opinion, it's none of your business. Wrong. It is my business. The reason is simply that without some additional information, it is impossible for me to determine which "simulation" program would be best in this particular case. I have a large collection of such program - I cannot determine which ones to offer to the original poster without knowing more about his needs. You see, unlike you I am actually trying to be of use to the readers of this newsgroup. - -frisk ------------------------------ Date: Sat, 24 Sep 94 19:33:03 -0400 From: Iolo Davidson Subject: Virus simulators In article <0004.9409231309.AA16142@bull-run.assist.mil> parvo@netcom.com "Breath me in..." writes: > Why do you constantly question people's motives whenever > they want to know something about this subject?? Probably because there is someone active in this group who is misleading people with his so-called virus simulator. This being the case, it is important that people looking for a simulator for testing purposes be told that they are useless and misleading for such a purpose. Continually and repeatedly told. Why, incidentally, are you questioning Frisk's motives for asking the question? None of your business surely? > Anyways, to help the individual out who asked the question in the > first place... If you do an ARCHIE on the string... Well this is very helpful, general advice to try an archie search. If he knows what archie is and how to use it, he *might* have been able to think of this for himself. > Also, there are plenty of virus research BBS's that carry a bunch > of stuff to help you out. Do you mean virus exchange BBS? I know of no reputable researchers who dabble in virus simulators of other than the "light show" variety. Maybe that is why Frisk asked what he wanted the simulator for- so he could direct him to a source of the "this is what the cascade letter drop looks like" type of simulators. If that was what the guy wanted. Which we still don't know. - -- THE TIME IS WHEN YOU'RE TO START OFFERED A SUBSTITUTE A REAL DISPUTE Burma Shave ------------------------------ Date: Mon, 26 Sep 94 07:48:02 -0400 From: DEL2@phx.cam.ac.uk Subject: Rosenthal Simulator (again) I am grateful to Mr Rosenthal for his response to my Open Letter. As I understand him, he suggests that I modify my virus identifcation package to become a virus-and-simulations identification package. Fair enough. It could also scan for mis-spelled words while it was about it:-) I'm also pleased to see from Eli Shapira that > VIRSIM2C should not be used to test detection rate or scanning quality of > one Anti-Virus or another. I understand that Mr. Rosenthal is no longer > trying to promote his utility for that purpose. But when Mr Shapira continues > It is however a very usefull tool that can help a customer that > understand absolutly nothing in viruses to see how the Anti-Virus > he/she evaluates - reacts to a "virus". It helps them do it without > risking an infection by a real virus. he loses me. After all, how is the utterly naive potential customer to cope with a screen that says "Virus Test Simulations From Rosenthal Engineering detected"? How does that help better than my own demo suite? How is he to know that the same will be true for a real virus? Still puzzled ... Douglas de Lacey, Cambridge UK. ------------------------------ Date: Mon, 26 Sep 94 20:59:00 -0400 From: David_Conrad@MTS.cc.Wayne.edu Subject: The Tamper-Proof Virus Simulator In VIRUS-L/comp.virus Doren Rosenthal (as194@cleveland.Freenet.Edu) writes: >Dr. David B Hull (dhull@nunic.nu.edu) writes: >> The registered version of the simulator comes with two live, MtE-based >> real viruses. You have to exercise on them the same kind of care that >> you do with other real viruses - to prevent your students from >> accidentally releasing them, or from knowlingly stealing them, >> modifying them, and using them for some malicious purpose. > >These precautions seem excessive.... It is excessive to ensure that the students don't steal the MtE viruses, modify them, and use them for some malicious purpose!? A telling statement! >Virus Simulator has established itself quite well as an important >anti-virus tool and the defacto independent product for this purpose. It's not AV, but (at best) CAI, Computer Aided Instruction. More like CAM, really, Computer Aided Misinformation. >Registered users receive their copy directly from >Rosenthal Engineering, in a mailer with a special seal bearing >the words "Tamper Resistant". Notice that he doesn't call it a Tamper-Resistant seal, but a "seal bearing the words 'Tamper Resistant'". Quite a neat analogy of the difference between the Virus Simulator and an Anti-Virus program. Regards, David R. Conrad David_Conrad@mts.cc.wayne.edu ------------------------------ Date: Fri, 23 Sep 94 15:22:13 -0400 From: Iolo Davidson Subject: Rosenthal Virus Simulator (VIRSIM2C.ZIP) (PC) In article <0024.9409221411.AA14635@bull-run.assist.mil> as194@cleveland.Freenet.Edu "Doren Rosenthal" writes: > > Furthermore, promoting this stuff as a test standard maligns > > Anti-Virus software which correctly identifies the non-virus > > simulation files as not infected. > > This is certainly unfortunate and I'm willing to cooperate with > any anti-virus product producer that wishes to participate. > Simply identify the simulations as what they are "Test Simulated > Viruses From Rosenthal Engineering." Surely this is exactly what > they are and who could fault anyone for detecting them as that. Anti-Virus software already suffers from the glut of new viruses arriving daily, to the extent that scanners have a real memory problem handling their database of virus recognition information. This is necessary for real viruses, but now you want to add to the glut, and force anti-virus software producers to identify your phoney non-viruses on pain of their own software being maligned by yours if they don't? If any legitimate anti-virus software publisher does feel the need to do this, I would suggest that the phrase "Phoney useless pretend non-virus file distributed by a charlatan who will not be named here" would be more apt. - -- THE TIME IS WHEN YOU'RE TO START OFFERED A SUBSTITUTE A REAL DISPUTE Burma Shave ------------------------------ Date: Fri, 23 Sep 94 16:00:17 -0400 From: datadec@corsa.ucr.edu (Kevin Marcus) Subject: Re: Rosenthal Virus Simulator VIRSIM2C.ZIP (PC) In article <0013.9409221411.AA14635@bull-run.assist.mil>, Fridrik Skulason wrote: >as194@cleveland.Freenet.Edu (Doren Rosenthal) writes: >>I'm sorry, but I do not make the source code or MtE engine >>available without my built in safeguards. > >Unfortunately, your safeguards are worthless. Any decent assembly-language >programmer can easily remove them, and create a fully working virus, without >your restrictions. Woah, woah, woah. This has a pretty high bogusity factor -- any decent assembly language programmer can easily throw together a virus or a MtE clone with some time. On the other hand, someone who is used to using... say, VCL, or MPC, or... will not have this knowledge, and some security on the MtE based files will probably be useful in preventing VCL kiddies from gaining access to another tool. Of course, the argument "if they have VCL, they have MtE" emerges... :) - -- - --> Kevin Marcus, Computer Science Dept., University of California, Riverside Email: datadec@cs.ucr.edu. "Two types of programs do CALL ; POP . They are viruses and a good chunk of DOS programs. Down with MicroSloth." ------------------------------ Date: Fri, 23 Sep 94 16:40:57 -0400 From: datadec@corsa.ucr.edu (Kevin Marcus) Subject: Re: Rosenthal Virus Simulator VIRSIM2C.ZIP (PC) In article <0012.9409231309.AA16142@bull-run.assist.mil>, Iolo Davidson wrote: > datadec@corsa.ucr.edu "Kevin Marcus" writes: > >> Instead, people shouldn't balk and scream that it's too hard to >> find skilled people, but rather, it is easy to find people who >> have the appropriate backgroun in computer architecture, and the >> laziness is what keeps the employers from training them on the >> specifics. > >It isn't that easy. I know because I went through the process. >It takes years of actual experience researching viruses to become >really proficient. The top people have been in it from the >beginning, and you can never catch up to them if you start now. There is a term about how secure some government's systems really are, and the term is called, "security by obscurity"; nobody in the public knows anythign about it, so the system is secure. I see this kinda crap going on a lot with AV authors. Nobody knows about viruses, or even AV packages, so you can't find anyone who knows much about it. My father does work for the military in an field that is mostly confidential. In some ways, that is good for him; job security -- they can't fire him and expect the system to be maintained, because he is the only person that knows about it. (That's not totally true, but the idea is there). If he were to quit, how do you think they would replace him? They would have to find soemone who has already read these confidential documents and knows what needs to be done, what the specification of the system is, etc. However, that isn't going to happen. Instead, they [will probably can the whole system...!] will look for someone to fill in the place. That person needs to be trained. Your statement about top people is very short sighted. It is analogous to saying that someone that did somethign well a long time ago must have kept up with technology and must still remain the expert today. This is not at all true. >> Whenever someone gets a new job, they *always* get some kind of >> training on what they are doing, > >Which makes them a beginner, with the basic skills and little >experience. That makes them useful, but not a top researcher. Exactly; they have to start somewhere. And, considering how much time most of these people must be spending supporting their products, I wonder exactly how much more experience they are getting. Consider a professor vs. a student. The professor is the expert. He trains the student. Soon after, the student is the one writing the papers and setting the standards. - -- - --> Kevin Marcus, Computer Science Dept., University of California, Riverside Email: datadec@cs.ucr.edu. "Two types of programs do CALL ; POP . They are viruses and a good chunk of DOS programs. Down with MicroSloth." ------------------------------ Date: Sat, 24 Sep 94 13:19:52 -0400 From: elis@teleport.com (Eli Shapira) Subject: Re: Rosenthal Virus Simulator VIRSIM2C.ZIP (PC) In article <0013.9409221411.AA14635@bull-run.assist.mil>, frisk@complex.is (Fridrik Skula son) says: >Unfortunately, your safeguards are worthless. Any decent assembly-language >programmer can easily remove them, and create a fully working virus, without >your restrictions. > Any decent assembly-language programmer does not need Rosenthal's program to do that. Frisk, Your US distributor is using his (Rosenthal) program to show customers how your great product catches them. What exactly do you have against it ? Or you just got infected by the Vesselin Virus... Eli Shapira ------------------------------ Date: Sat, 24 Sep 94 19:28:56 -0400 From: Iolo Davidson Subject: Rosenthal Virus Simulator (VIRSIM2C.ZIP) (PC) In article <0013.9409231309.AA16142@bull-run.assist.mil> elis@teleport.com "Eli Shapira" writes: > you all know that every AV vendor is asked to give > viruses to customers evaluating their products. And to journalists who want to run comparative tests on a number of products for published reviews. > Since we do not want to give "real viruses" to customers we all > make our own little harmless samples that will work with our AV > product. I have seen hundreds of these samples from almost every > AV vendor. Most of them will work only with the AV product from > the vendor that created the sample. I don't know *any* vendor that does this. Dr. Solomon's and Fprot have a file that can be used as an installation test, but it does not represent itself as a "sample" and it would be misleading for it to be called that. Dr. Solomon's doesn't even supply the file, it just tells you how to create one in the documentation. Any collection of "samples" such as you describe is exactly as valuable as Rosenthal's collection, ie worse than worthless. > VIRSIM2C should not be used to test detection rate or scanning > quality of one Anti-Virus or another. I understand that Mr. > Rosenthal is no longer trying to promote his utility for that > purpose. His documentation still reads that way. And when did "Oh we don't do that anymore" become a justification for past misdeeds? > It is however a very usefull tool that can help a customer that > understand absolutly nothing in viruses to see how the Anti-Virus > he/she evaluates - reacts to a "virus". It helps them do it without > risking an infection by a real virus. No, it misleads people who do not understand, leading them from simple ignorance to a belief in erroneous information. Thinking you know when you are wrong is much worse then simply not knowing. > Finally there is someone that is willing to work with all the > AV vendors, came up with a standard that all of us can work with Only the foolish ones. > and is not trying > to make millions of dollars from his simple idea. The idea is simplistic and worse than useless, and he is charging people money. > He is even giving the > full non-shareware product to any AV vendor - free of charge. After which he will claim them as a user, to add to his list of "military and government departments" that he keeps quoting. > An Anti-Virus can easly distinguish between a real virus and a > "simulated" one and can inform the user about it. What for? "Look! My virus detector is so good it can find things that aren't viruses!" The only reason to fall in with this nonsense is to promote Rosenthal's useless product for him. I would have serious doubts about any vendor who cooperated with spreading this misinformation. > So... what's the problem ? Anyone with any sense doesn't want any of this stuff to rub off on them, that's what. And as long as the nonsense keeps being promulgated here, there will be people who will keep putting it straight. - -- THE TIME IS WHEN YOU'RE TO START OFFERED A SUBSTITUTE A REAL DISPUTE Burma Shave ------------------------------ Date: Sun, 25 Sep 94 22:46:09 -0400 From: parvo@netcom.com (Breath me in...) Subject: Re: Rosenthal Virus Simulator (VIRSIM2C.ZIP) (PC) >> Certainly. The current shareware version of my Virus Simulator >> anit-virus product is available from most FTP sites as > >This is the FOURTH time you are advertising your viruses here. May I >ask the moderator whether the guidelines of this newsgroup have >changed lately? Ahem...ROSENTHAL'S VIRUS SIMULATOR IS _NOT_ A PIECE OF SOFTWARE THAT CREATES VIRUSES, NOR IS IT ITSELF A VIRUS!!! How many times must people tell each other this???!?!?! >> Additionaly, you might also try the ICARO ftp sites as well. But >> I'm not sure they're aware of its existance. > >Our site is one of the ICARO ftp sites, I am aware of its exitence, it >is not available here, and will NEVER be. Unlike you, we do not >distribute viruses. Perhaps you need to REREAD THE ABOVE!! IT IS _NOT_ A VIRUS!!! IT DOES NOT REPLICATE NOR DOES IT CREATE CODE THAT REPLICATES!!!! Jesus Christ!! I thought at least you...the Dark Avenger...would know what is a virus and what isn't!! BTW, just loved your Mutation Engine!! You like SMEG?? Don't you wish you wrote that one?? >> If you still have trouble finding it, please don't hessitate to >> contact me directly. > >If you felt like misleading yet another user with your product, >couldn't you have contacted him by e-mail? ROSENTHAL HAS NEVER MISLEAD ANYONE CONCERNING HIS PRODUCT!! OTHERWISE, PROVE IT...IF YOU CAN'T...THEN GIVE IT A FUCKING BREAK MR. DARK AVENGER!! INFES-Station +703.631.4225 NuKENet RULES! - -- +------------------------------+ | D i g i t a l J u s t i c e | | | | parvo@netcom.com | | INFES-Station SysOp | | NuKENet '94 | +------------------------------+ ------------------------------ End of VIRUS-L Digest [Volume 7 Issue 82] *****************************************