VIRUS-L Digest Wednesday, 19 Oct 1994 Volume 7 : Issue 85 Today's Topics: Re: Honecker ??? (PC) Re: ANSI Bomb? Common Virus Sources Re: self-integrity tests Security research help !! Has this been done Tunneling Re: [Q:] What does 'tunneling' means? Philosophy Unix viruses and Internet worm (UNIX) Re: Help, unknown virus. (PC) Exebug (PC) Possible new virus (PC) Monkey Virus is on our backs... (PC) How do boot sector viruses speard from X to X? (PC) Dalian_China virus (PC) Re: "anti thunderbyte" [sic] (PC) Re: ANSI Bomb? (PC) Re: .EXE infection: How is it possible? (PC) Help! How to get rid of BFD virus? (PC) Virus...lost and found (PC) ? HLLC.16850 (PC) Re: Monkey.Stoned virus on multimedia 486 won't go away... (PC) Smile Again virus (PC) MONKEY 2 (PC) Re: GenB Virus - Need Help! (PC) Possible new virus! (PC) HLLC.16850 (PC) Monkey Virus ****** Possible FIX (PC) Update: WPWIN6.0 and NATAS (PC) Re: vds30p.zip - AV package w/scanner, integrity checker etc. (PC) unknown virus (PC) Help: Stuck with [GenP] virus (PC) EXEBUG is getting meeeeeeeee! (PC) Unstoppable virus? (PC) Something I found (PC) Exebug won the battle (PC) can't run new exe files (PC) Anti-CMOS Virus Infection - HELP! (PC) Re: Looking for specific-purpose virus scanner (PC) Re: VCL?? (PC) V-Sign Virus (PC) Help please: Monkey? (PC) ACID.COM & RAMCHECK.EXE (PC) Whisper Virus question (PC) KOH - The useful virus? (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CORSA.UCR.EDU (IP number 138.23.166.133) or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CORSA.UCR.EDU. Administrative mail (e.g., comments, suggestions, beer recipes) should be sent to me at: krvw@ASSIST.MIL. All submissions should be sent to: VIRUS-L@Lehigh.edu. Ken van Wyk ---------------------------------------------------------------------- Date: Wed, 05 Oct 94 10:05:40 -0400 From: m.brown@imperial.ac.uk (Mr M.J. Brown) Subject: Re: Honecker ??? (PC) pnd2@ukc.ac.uk writes: >Believe there is a virus out called Honecker. Is this true? >Heard tell that it is somewhere in the Eastern part of Germany, >meaning the old East Germany. So, if TRUE, what does it do. >Which scanners can detect the virdude? It does exist, although it's IMHO only marginally a virus. It's a program approximately 50Kb in length that, on a certain date (I seem to remember it's the anniversary of German reunification, but I may be wrong) displays a caricature of Honeker and a message in German, the last words of which are "I'll be back!" while playing the GDR's national anthem on the PC speaker. It also deletes the autoexec.bat file when it triggers. When run it copies itself to various locations on the directory tree, and additionally adds itself to any .bat files it finds. I believe many scanners detect it by now; certainly Sophos' Sweep does, because I work for them and tested this. It's not polymorphic at all and is therefore very easy indeed to detect. - -Matt - -- ____ Morven ------------ m.brown@ic.ac.uk ------------ Matthew Jude Brown \ _/__ Sophos PLC, 21 The Quadrant, Abingdon, Oxon OX14 3YS - (0235) 559933 \X / 32 Goldsmiths Lane, Wallingford, Oxfordshire OX10 0DN (0491) 833990 \/ | We are the people our parents warned us about | ------------------------------ Date: Wed, 05 Oct 94 10:06:35 -0400 From: Zeppelin@ix.netcom.com (George Paulsen) Subject: Re: ANSI Bomb? Rinse_Balk@f7.n316.z9.virnet.bad.se (Rinse Balk) writes: >Could someone tell me what a ansi bomb is? >Thanks in advance.. An Ansi Bomb can be either/most likely a Trojan. Often, it remapps your keyboard. If you use the program called Pksfansi.com all problems with most ansi bombs are gone. I say most, because I have seen ansi bombs put in File_id.diz's using the Zip Comment format, and have seen them corrupt ! -Zep- ------------------------------ Date: Wed, 05 Oct 94 15:04:45 -0400 From: drmaier@wam.umd.edu (Louis Maier) Subject: Common Virus Sources I'm trying to find out what the most common sources of infection are for typical PC based users/organizations (i.e. BBS's, shrink-wrapped products, internet, network technicians updating/diagnosing machine with infected disks,etc.) In particular, people in the organization I work for want to know how "safe" internet is. If anyone knows how safe internet is vs. shrinked wrapped sources, this would be especially helpful since shrink wrapped sources are the most common here. However, even information as vague as "Internet has had many/few virus carrying PC executables this year" would be helpful. Thanks in advance, - --Marty Maier ------------------------------ Date: Wed, 05 Oct 94 19:09:08 -0400 From: "Frans Veldman" Subject: Re: self-integrity tests bondt@dutiws.twi.tudelft.nl (Piet de Bondt) writes: > F-Prot and TBAV at least do a sanity-check on their own programs, and (as > I use this one most of the time) TBAV checkes every file that gets either > executed, or moved/copied. You can decide on your own that 'harddisk' execu- > tables are to be trusted, but extracting files from an archive-file (.arj > zip or whatever) that you copied to your harddisk makes this rather > dangerous practice... so I configured it to check *every* file that wants No, it isn't dangerous at all, because files are automatically scanned when extracted. Always. So in normal circumstances it is not necessary to scan files 'on execution' because they have already been scanned while unarchived/copied/moved/downloaded. It is only necessary to scan files 'on execution' which reside on diskette, because they have not been checked. - -- Thunderbye, Frans Veldman <*** PGP 2.3 public key available on request ***> Frans Veldman Phone (ESaSS) + 31 - 80 787 881 veldman@esass.iaf.nl Fax (ESaSS) + 31 - 80 789 186 2:280/200.0@fidonet Fax (VirLab) + 31 - 59 182 714 ------------------------------ Date: Thu, 06 Oct 94 01:33:04 -0400 From: pardo@ncat.edu Subject: Security research help !! Hello every one! I am a Graduate Student at North Carolina A&T State University. I am doing my second semester in Computer Science with emphasis on Software Engineering. I am interesting on SECURITY, so I focused my attention in management practices. Now I have chosen a title for my project : "COMPUTER SECURITY MANAGEMENT PRACTICES". I will let you know my research scope and I will appreciate any comments that will help me to improve my research. Also I will glad to receive any suggestion on the SECURITY field. ************************************************************************* My E-MAILS and my ADDRESS are open to all the suggestions and information available such as magazines, references of books, seminars papers, news on news-groups, government and commercial publications, etc, etc, etc, etc,. Also, I can receive that information in English or Spanish. ************************************************************************* "COMPUTER SECURITY MANAGEMENT PRACTICES" RESEARCH GOALS: The goal of this project is to describe effective computer security management practices for Local Area Network and Wide Area Networks environments. A large number of publications, seminars, and regulations attempt to address the problem of security management in such environments. Unfortunately this material remains dispersed, and there is a need to coalesce the available data into a simple guide form. This would list the various "DO" and "DO NOT" rules which could be used to support unclassified computer security training managers. The over-riding goal will be to produce a document which outlines what a manager of a LAN or WAN site should do to ensure effective computer security. TECHNICAL SUMMARY (METHODOLOGY): In order to accomplish the overall research goal, I will concentrate on the following issues: (liable to change) a. Prevention : Good planing. b. Cost-benefits analysis : It is less expensive to avoid rather than recover. c. Statistics/Probabilistic concepts : Risk reality on numbers (e.i. assets). d. Surveys : I am concentrate now in this part. Any quickly suggestion is welcome (forms, questions, etc), any target (vice-presidents, managers, executives, owners, treasurers, supervisors, plant, secretaries, consumers, and people in general). e. Auditory : Standar controls. f. Tools and Techniques : Any security safe-guards. The difficulty to get the proper budget for security purpose. g. Training : Managements and users. h. Comunication networks : LANs and WANs. (Managers nightmare). I express my sincerelly thanks in advace. ------------------------------------------------------- |WILLMER PARDO N.C. A&T STATE U. | - ------|1373 Lees Chapel Rd. # B103 Computer Science |-------- \ |Greensboro, N.C. 27455 pardo@mercury.ncat.edu | / \ | "Love your neighbor pardo@coleman.ncat.edu | / / | as yourself" | \ / ------------------------------------------------------- \ - ---------| |----------- - -- ********************************************************************* WILLMER PARDO NORTH CAROLINA A&T STATE 1373 LEES CHAPEL RD. #B-103 UNIVERSITY GREENSBORO N.C. 27455 pardo@garfield.ncat.edu ------------------------------ From: binesh@panix.com (Binesh Bannerjee) Subject: Has this been done Has this kind of a virus ever been written? I was thinking, that if a virus writer wanted to, he could write a virus that say did something like this : Code A Code B Code C is the original code for the virus. Now when you insert the code into the executable to be infected, you wrap these around each line or block of code. goto L1 <<< Block A L2: code A goto L3 L1: goto L4 <<< Block B L3: code B goto L5 L4: goto L7 <<< Block C L5: code C ret L7: Now, I can shuffle this code wherever (within limits, I can't place these instructions in data, or in the middle of an instruction,) but, I can analyze the code, and place the code shuffled wherever I feel like it, or, I can make the virus itself shuffle itself, and it would just keep changing. Plus, say it could have a location that kept track of where in the code it starts, so it can remember to strip out the headers (the gotos surrounding the actual viral code.) Otherwise, you'd keep increasing the size of the virus... This shouldn't be hard to do, if you restrict yourself to not using any jmps in the actual viral code, and only use jmps for the wrappers... Other than making checksums for each executable, how would such a virus be detected? Has it been done? Thanks Binesh - -- * Will sit by a pool and relax and have fun for money. * Hey... it's going to work someday... ------------------------------ Date: Fri, 07 Oct 94 10:16:29 -0400 From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) Subject: Tunneling >From: djakman@fwi.uva.nl (Kemal Djakman) >Subject: [Q:] What does 'tunneling' means? Tunneling refers to be ability of a virus (or actually any software, QEMM386 does a remakably good job of this) to bypass software/hardware for direct access to a peripheral. Probably the first "tunneling" software was Lotus 1-2-3. To provide faster screen updates than its rivals, the first version bypassed the operating system and the BIOS to do direct screen updates to the video buffer. The speed was attained at the expense of portability and the wide acceptance of 1-2-3 also made the "640k barrier" a reality since the original screen buffer occupied the A000h segment immediately above 640k. Windows 32BitDiskAccess also uses "tunneling" to bypass the OS and BIOS in the interest of speed but unlike 1-2-3, Windows checks to see if the path is valid before activation. If the check fails, a black screen with a warning notice appears. Since most MBR and BSI viruses interfere with this check, 32BitDiskAccess would rate in the top five for low level virus detection. A final point: while "tunnelling" is often used in a generic manner, there are actually different levels that can be used. Some programs use "tunneling" to find a direct route to the peripheral at the hardware level. Others merely seek the BIOS entry, while still another group merely attempt to bypass the Operating System. A recent low level infecting virus - One Half aka FreeLove - is referred to as a "tunneling" virus despite the fact that it only "tunnels" beneath DOS and any BIOS level protection residing under DOS will still detect/ block the virus. I hope this helps, Warmly, Padgett ------------------------------ Date: Fri, 07 Oct 94 17:10:30 -0400 From: datadec@corsa.ucr.edu (Kevin Marcus) Subject: Re: [Q:] What does 'tunneling' means? Kemal Djakman wrote: >I have moticed that several posts here mentions about 'tunneling' virus, >or 'anti-tunelling' methods. I can't find it in the FAQ. Would someone >be kind enough to explain it to me? Tunneling is the practice of finding the original vector of an interrupt. This is often done by places the processor into single step mode, and the int 1 handler then checks cs:ip to see if it falls in a certain range. So, for example, if CS suddenly becomes f000:xxxx, then the int 1 handler can record the address. Of course, the program needs to call the interrupt it wants to tunnel. This allows for a virus to totally bypass any other software which might be installed by directly calling the interrupt vector, instead of calling the vector in the IVT. - -- - --> Kevin Marcus, Computer Science Dept., University of California, Riverside Email: datadec@cs.ucr.edu. "Two types of programs do CALL ; POP . They are viruses and a good chunk of DOS programs. Down with MicroSloth." ------------------------------ Date: Fri, 07 Oct 94 18:04:35 -0400 From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) Subject: Philosophy >From: dnikuya@netcom.com (dave nikuya) >Subject: How does one become a "respectable" researcher? >A paradox of government, >recognized even by the ancient Greeks, is that people of the necessary >quality, wisdom, and integrity to decide these issues for society are >among those least likely to possess the ambition and ruthlessness >required to obtain high public office. I always like the version that goes "Anyone who wants to be a politician, shouldn't". >Well, this is a very stringent requirement. While I sympathize with >your motives, I am sure that you are aware that many people suspect >elements of the anti-virus community of spreading viruses in order to >increase demand for their services. It is to laugh. Most of those I know are operating, as I am, on negative free time and way to much time is being spent on dumb viruses whose polymorphic engines do not make detection any harder but which make removal/recovery very difficult. >Can there be no middle ground, where a responsible entity can make >viruses available to adults willing to identify themselves and sign >a statement promising responsible use, to remain on file? Sure there *could* but considering that no-one wants to fund such a thing as a "National Computer Security Lab" (estimated start up 10 Mil$), it is doubtful. Other than for wannabes, what benefit would it serve ? >By way of analogy, guns are obviously very dangerous, and are involved >in thousands of crimes and accidents every day. Yet in the US, you do >not have to prove that you are responsible and competent to buy a gun; >you only have to prove (at most, and very informally) that you are not >a convicted felon or a lunatic. So open a virus shop if you want to. There is no law against it. Gun shops must be licensed and keep records. Right now there is no law against a virus shop. >The parallel I am trying to draw is that if distribution of clearly >marked viruses is made illegal, then people who want to get viruses in >spite of the law will still do so, but their only source will be the >underground BBS's that demand a new virus as initiation, so that you >may have the unintended effect of increasing the production of viruses, >and the proliferation of BBS's run by unsavory characters. Personally would rather hear that people had come to the same conclusion that I did a couple of years ago - viruses as boooooring. The fact is that there is no real market (other than a nitche one like buggy whips and ninja knives). Also I doubt that viruses will ever be made illegal particularly since there would have to be a legal definition of what a virus *is* and even the "experts" cannot agree on that. >Perhaps he >could have gone either way in the beginning, but the vituperation he >got from the "legitimate" AV community, plus whatever success the AV >community had in keeping "respectable" researchers from subscribing to >his publications, left him with nothing to lose among researchers and >a customer base with a disproportionate number of non-respectable >characters. Will say the same thing now that I said then, his books are full of errors and limitations (e.g. the boot sector virus in the LBB will only work with DOS 3.x) but anyone who can spot the errors doesn't need the book. >there is often an undercurrent of >condescension or even ridicule when these insiders refer to people who >are interested in AV activities, but who have not established >themselves as members of this community. No, I disagree. The problem is that there are so many wannabes out there who want to become instant experts without really understanding the subject. Quite often I get requests from people who want MBR viruses who do not even know where the executable code loads in memory or what the register values must be on termination (according to the IBM technical specification for PC-DOS v3.0 and up). Similarly, to understand boot sector infectors, first you must understand what the differences are between a DOS 2.11 boot sector and 3.3 and 5.0 and why they are incompatable. This is freely available from any number of sources yet few bother to study. "First, review the literature". >It is not at all clear to me how an outsider becomes an insider in the >AV community. Must one work for a Fortune 500 company, or at a major >university? It seems to me that there are many sincere and competent >people who would not meet these criteria, and possibly some nefarious and >incompetent people who would. This statement shows that you are missing the point. A "community" as you will is under no legal or moral obligation to admit *anyone*. YOUR civil rights are not infringed by MY right of privacy. This is one of the freedoms we still have in this country. >Am I completely ignorant of the >facts? Is there some professional organization that I can join which >will allow me access to the virus libraries even though I am not a >Ph.D.? No, and this seems to be the misunderstanding - there is no professional organization or not-for-profit or educational institution involved. It is a collection of individuals who choose their friends and what they share or do not share. There is no public virus library but private collections. >I have seen many posts from insiders that encourage questioners to send them >a virus for study. Then these same insiders discourage making viruses >available for study to anyone else. This is what I was alluding to >above when I mentioned a conflict of interest: they are acting so as >to perpetuate their monopoly on expertise. Personally, I would be happy if another virus never were written. But the simple fact is that you do not need viruses if you really understand how the PC works since all possible PC viruses fall within that envelope. Of course I am biased since none of my software knows what a virus is, it depends on knowlege of what a PC is and how it should act. Consequently, I am far more interested in the operational differences between Phoenix and AMI BIOSes than what the One Half virus does. The last real change before release of DiskSecure II (FreeWare mind you) was to accomodate an anomaly in the early IBM AT BIOS handling of Int 10 and not a virus. >No less authorities than Vesselin and Frisk have made >very forceful posts that simulators are useless for working with AV >products, so what am I to do? True, simulators do not simulate everything and are valid only in a specific context (which is rarely defined). The problem with simulators is the false sense of security they can provide and the fact that many products will not consider their output to be viruses *because they aren't* ! >That leaves me two choices---get them from Ludwig's >CD or an FTP site, or get them from a BBS that requires me to first >contribute a new virus. True, you have choices but *all* are examples of the free enterprise system at work: 1) Exchange money for viruses from those who would sell them. 2) Exchange like work for viruses. 3) Exchange dilligent study and worthwhile contribution for study materials consistant with your demonstrated expertise. >I can stand the insult, but you will put me in a very difficult >position if you are able to carry out your campaign of making illegal >the availability of clearly marked viruses to people who accept the >risk and responsibility. Have never said that viruses should be illegal, merely that writers should be responsible for their effects. Do reserve the right to decide *who* to give software that is in my possession to. What you seem to want is something for nothing and why should I bother ? Ever hear of the concept of "consideration" ? >I beg you to recall that you were not always a world-renowned >authority, and that you wouldn't be one today if someone hadn't taken >a chance by providing you with live viruses. You have got to be kidding. *All* of the early viruses I encountered were from the "wild", visit any university and you can find more "beginner" viruses than you could ever want. Sorry to go on for so long but America is based on the free enterprise system. Sometimes people seem to think that "all men are created equal" is synonymous to "from each as he is able". Nyet. Try reading Ayn Rand's "The Virtue of Selfishness" first. Warmly, Padgett ps the net is already making a difference in politics. Now as soon as every franchised American is able to vote electronically on every issue we will have a real democracy (whatever that is) of course most won't. ------------------------------ Date: Thu, 06 Oct 94 09:34:01 -0400 From: Mohammed Ali Subject: Unix viruses and Internet worm (UNIX) dear reader, i am a new comer in unix word and internet, i will be greatfull if you could provide for me any general information about viruses in UNIX. What is internet worm? are there FAQ? regards Ali - -- PEM Programmentwicklungsgesellschaft |------------|---------------------| fuer Microcomputer mbH | Xlink POP | Ali@pem.com | Mohammed Ali | Stuttgart |voice: +49-711-713045| Vaihinger Str.49, FRG 70567 Stuttgart| | fax: +49-711-713047| PostBox 810165, FRG 70518 Stuttgart|------------|---------------------| ------------------------------ Date: Wed, 05 Oct 94 10:09:03 -0400 From: Zeppelin@ix.netcom.com (George Paulsen) Subject: Re: Help, unknown virus. (PC) at796@freenet.carleton.ca (Ajay Kapal) writes: > >In a previous article, cs911035@ariel.cs.yorku.ca (CHRISTOPHER M. ACKNEY) says: > >>Hi there, I'm new to this group, so I don't know the ins and outs of viruses. >>However, a friend of mine seems to have gotten himself into a wee bit of >>trouble. >> >>It seems that after a certain amount of time on his computer, the characters >>on the screen begin flashing in different colours. It may be a video problem, >>but then shouldn't it occur when he turns his computer on. Also, the >>background remains stable. >>Besides this, his computer speed drops noticeably. >>He's used Mcafee scan117, but to no avail. >>Can anyone offer any help > >DOH! i have the exact same virus...just sprouted up today...(er...make that >yesterday...) i tried to use scan117, f-prot213a, and Thunderbyte 6.22. >none of them caught it. >f-prot doesn't even think a virus is in mem...perhaps the virus resides in >EMS/XMS. I know that if i bypass my config.sys and autoexec. files, the >virus doesn't show up (ie, perhaps cause i don't load up the memory manager..) >Or of course, it could just be an infected file in autoexec and/or config.sys > >ps...the virus doesn't work under os/2 (as far as i can see...ive been using >os2/2.1 for quite a while and it hasn't showed up yet.. > >Windoze 3.1 slows to a crawl tho (or is that normal :^)) > >HELP! Just re-install DOS ,,, If you take all the programs that are running via your Autoexec.bat and Config.sys, and copy the back over them, more than likely your probs will go away. Just remember to copy protect your floppys. -Zep- ------------------------------ Date: Wed, 05 Oct 94 10:48:12 -0400 From: mshmis@world.std.com (MSH MIS) Subject: Exebug (PC) I have recently found Exebug on a number of computers and it seems difficult to eliminate. Yesterday I booted from a clean write protected boot diskette which contains Mcafee's latest anti-virus software. The message on the screen said that traced of exebug were found in memory. How could this be? Please e-mail me at GFrick@msh.org if you have any experience with Exebug or solutions to my exebug problems. Thanks Greg ------------------------------ Date: Wed, 05 Oct 94 11:17:58 -0400 From: Zeppelin@ix.netcom.com (George Paulsen) Subject: Possible new virus (PC) My dear Friends, New Virus!!!! Three days ago strange things happened with my computer. The computer hangs everytime in the AUTOEXEC.BAT. I thought that there was something wrong with my new cache drams I installed 1 week before. I watched the system startup pressing the F8 Key. The System hangs up by executing every COM and EXE File. The next day I talked to some friends of mine about my problems and one of them had the same problem. He solved this problem by lowlevel formating his Harddrive two times. I give a damn about formating my harddrive. So today i went to a friends to show him my problem. 8 hours of searching: At first we recognized that many COM were larger then the original ones. We started an DiskEditor to load the original COMMAND.COM. In the second window we loaded the infected COMMAND.COM and watched the datas at the end of the infected COMMAND.COM. The original end was at 0000:D55Bh OffSet. (MS-DOS V6.2 COMMAND.COM) The infected end was at 0000:DA8Ch OffSet. (English) So 1329 Bytes were added by the Virus! The same thing was with the KEYB.COM and DOSKEY.COM. We replaced the infected files and installed the TSAFE in the first line of the AUTOEXEC.BAT to see wich files the VIRUS would infect first. TSAFE told us that an unknown TSR tried to modify the EDIT.COM in the DOS Directory. The next step was that we tried to hide the DOS Directory from the Virus by just renaming it to "DIS". This was hopeless since the VIRUS scanned boths FAT's to find his targets. The idea we got was to capture the added bytes from the infected files. We compared them and found out that they were completely different except some small parts. We decided to investigate this small parts. But the problem was that the filecompare Program was only able to show us the differences of these two captures. (have a look at KEYB.SGN and DOSKEY.SGN) After experimenting how to make the FC program run to give us the similar strings, there was only the one way out to print the captures and make it ourselves. After 1 hour of work we found three strings in both captures. 1: "EB 3B 90" 2: "8C C8 8E D8" 3: "B8 68 02 8B C8 8B C1 8B C8 81 34" (THIS WAS THE ONE) We inserted all strings in the F-PROT VIRUS list.The first and the second string were found in all EXE and COM Files. We thought we got him but these twos appeared also in the Files on the clean Computer.The third string seems to appear not in all executable Files. We tested the third String on the clean Computer to make sure it wasn't a normal COM or EXE File routine. We didn't find this string in any file of the clean Computer! SOLVE: We preffer to make a clean BOOTDISK with the SYS.COM. Boot with this Disk and type "SYS C:".The Bootsector is now clean. It won't activate the Virus anymore by booting. Insert the third String: "B8 68 02 8B C8 8B C1 8B C8 81 34" in the F-PROT Virusscanner in the Virus menu and don't forget to turn on the string search option in the scan menu.Turn on the DELETE/QUERY option. (Up to now we found no way to save yourinfected Files. So you have to delete them.) Your Harddisk must now be cleaned. _____________________________________________ VIRUS INFORMATION: Origin : Unkown Size : 1329 Bytes Threat : Infect Bootsector ,COM & EXE Files. It will add trash to the Files and make them unexecutable. Memory Resident,slows down your Computer. Age : About 2 Weeks (09-16-1994) _____________________________________________ ------------------------------ Date: Wed, 05 Oct 94 12:06:57 -0400 From: crosbie@pilot.njin.net (Bill Crosbie) Subject: Monkey Virus is on our backs... (PC) We have an infestation of Monkey around our campus. It is cropping up on all sorts of systems in different disciplines. Have used McAfee to clean the virus successfully on a network, but the virus seems to be very persistent on stand-alone systems. We ran the cleaner and the virus was removed from one system, but then I decided to run a check using NU8, diskedit on the virus signature. The signature was still present on the hard drive in a low sector (359) I believe. Is this dangerous? Does anyone know if this virus hides itself away from normal viral locations? And finally, what can be done to totally remove the virus? I would appreciate responses from anyone with experience with this particular pest. - ---------------------------------------------------------------------- Bill Crosbie "For my purpose holds to sail Brookdale Community College beyond the sunset, and the baths crosbie@pilot.njin.net of all the western stars, (908) 224-2808 until I die." ~ Tennyson ------------------------------ Date: Wed, 05 Oct 94 17:03:51 -0400 From: stark@iastate.edu (Brian D Stark) Subject: How do boot sector viruses speard from X to X? (PC) I've often been interested in how a virus from an infected boot sector of a disk, transfers to a harddrive. A long lasting rumor is that just by typing 'dir', the virus will be transferred. I have played with several boot sector viruses and they have never transferred using this method. (This message is not intended to start a flame war over the 'dir' command) I can only take guesses at what happens. My best guess is that when you copy a file from the disk to the harddrive, the virus hooks onto this process and loads into the computer's memory. From there it is eventually copied to the boot sector of the harddrive. Can someone please fill me in on how boot sector viruses are transfered? Please be as technical as you want to be. thanks - -- Brian D Stark stark@iastate.edu ------------------------------ Date: Wed, 05 Oct 94 18:24:42 -0400 From: panther!jaguar!cmeli@relay.iunet.it (Clyde Meli) Subject: Dalian_China virus (PC) jmccarty@spd.dsccc.com (Mike McCarty) wrote: >Philip Tong (CL-28951@cphkvx.cphk.hk) sent me a uuencoded EXE file, >along with a note indicating that he believed it is infected. He submitted it to me too. I have added detection and removal of this virus to my own local shareware antivirus as from version 2.3c. I submitted it to Mr. Tong so that he could recover from the virus. If the moderator wishes me to, I will mail a copy to the moderator for it to be placed in an appropriate ftp site. I propose to call the virus Dalian_China in accordance with the CARO naming standard. >A quick look at the executable showed it contained suspicious code. It >appeared to be decrypting part of the code segment. The code remained >unchanged in size after decrypting, so I do not believe it is a >decompression (though the file was compressed with PKLITE). You are wrong here. It is a decompression. The Dalian_China virus is encrypted twice. The virus only infects files with the EXE extension which start with a 5A hex byte, and adds 1366 bytes to an uninfected file. After the timer clock reaches a certain tick value, the message 'Gene!' is displayed. The virus contains the following text: 'Gene_1991_in DUT (Dalian China)'. I do not know what 'DUT' refers to. I believe Dalian is the name of a city in China or Tibet. >The new files are infective. When a DIR command is done on the infected >files, the original sizes are displayed until a reboot. This may be due >to DOS caching directory entries; it may be due to viral activity. I >did not investigate this. Dalian_China does not have any stealth ability, and the new sizes are displayed. According to my tests, after running an infected file, the virus went memory-resident. When a DIR command is done and a file is infected, the new larger sizes are displayed from that point onwards. The original sizes are never displayed since there is no attempt at stealth. The virus installs a replacement dummy INT 24 (Critical error handler) which fails every operation as well as an INT 21 handler. The virus redirects the trace vector (INT 3) to a reboot vector after the first encryption as a simple form of anti-debugging. The virus does not contain intentionally destructive code and can be repaired. Regards, Clyde - ----- Clyde Meli, B.Sc. ICARO Collaborator - Malta AntiVirus Conference Host on AccessNet Teaching Assistant Dept. of Computer Information Systems University of Malta Malta. Internet: cmeli@unimt.mt ------------------------------ Date: Wed, 05 Oct 94 19:09:06 -0400 From: "Frans Veldman" Subject: Re: "anti thunderbyte" [sic] (PC) ig891959@teak.canberra.edu.au (K. Chan) writes: > My Pc has infected the new 94's virus named 'anti thunderbyte', > it cannot be detected and cleaned with the latest version Mafee' > scanv117 and clean117. Is anyone can tell me any commerical antivirus Can you enlighten me how you know that your virus has the name 'anti thunderbyte' if you have no scanner that detects it, i.e. you have not a scanner that it names it as such? Besides, there is, and will never be, a virus with that name. Anti-Virus developers will never name a virus after a product. It wouldn't make sense anyway to name a virus after an anti-virus product, as many viruses are targeted against one specific or a group of anti-virus products. Would run out of names soon. - -- Thunderbye, Frans Veldman <*** PGP 2.3 public key available on request ***> Frans Veldman Phone (ESaSS) + 31 - 80 787 881 veldman@esass.iaf.nl Fax (ESaSS) + 31 - 80 789 186 2:280/200.0@fidonet Fax (VirLab) + 31 - 59 182 714 ------------------------------ Date: Wed, 05 Oct 94 19:17:14 -0400 From: jmccarty@spd.dsccc.com (Mike McCarty) Subject: Re: ANSI Bomb? (PC) Rinse Balk wrote: [nested quote removed] )Could someone tell me what a ansi bomb is? )Thanks in advance.. There is a device driver available for MSDOS/PCDOS machines since version 2.0 called ANSI.SYS. This driver manages the display and keyboard. On output, it interprets ANSI screen control escape sequences, such as cursor positioning, clearing screen, etc. On input, it can translate characters into other character sequences. One could make the keyboard seem to send "DIR *.*" when F3 is pressed, for example. ANSI "bombs" take advantage of this capability to "program" some key to do something the user probably does not want. For example, F3 might be programmed to send "ECHO Y | DEL *.* " which would delete all files in the current directory without asking for permission. The escape sequences to reprogram the keys this way could be embedded in an ordinary seeming text file, or one which draws an interesting ASCII character picture on the screen. When the user types or copies the file to the screen, the F3 key would be redefined, without the user knowing it. The next time F3 is pressed (say to recall and edit a previously entered line, it's usual meaning) the local directory would be wiped. Does that help? Mike - ---- char *p="char *p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);} ------------------------------ Date: Wed, 05 Oct 94 19:25:18 -0400 From: jmccarty@spd.dsccc.com (Mike McCarty) Subject: Re: .EXE infection: How is it possible? (PC) Diego Montanez wrote: ) I have a question: how does a virus manage to attach itself to ) an executable file (.COM, .EXE) and still the executable can ) be run (of course, after the viral code has been executed)? Usually, the program copies out the first few instructions at the beginning of the program. It then puts in their place a jump instruction to the viral code, usually put at the end of the current program. This way the viral code gets to run first. Then the rest of the program is executed. Mike - ---- char *p="char *p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);} ------------------------------ Date: Thu, 06 Oct 94 02:43:18 +0000 From: hassan@isl.mei.co.jp () Subject: Help! How to get rid of BFD virus? (PC) Hi. My PC at work as well as the one I have at home seems to be infected with the BFD virus. I had been using a year old version of Norton Anti-Virus protection however it did not detect this virus. However the Anti-virus program packaged with IBM-PC DOS 6.0 (IBMAVD.EXE) as well as the one packaged with MS-DOS 6.2 (MSAV.EXE) both reported it when I ran these. It seems to affect *.EXE and *.COM files. However although these AV programs were able to detect the virus, I cant disinfect the infected files using them. The most that MSAV does is to rename the files. I renamed the infected files, and then for all the infected files I re-installed them from the original MS-DOS6.2 diskettes (expanding them). After re-installing the size of the files I reinstalled matches the size of the ones that were infected, although I think the infected files shoud be 449 bytes longer as the BFD virus signature is 449 bytes long. After deleting the infected files I once again ran MSAV and again it says the new files that I re-installed were infected. Does anyone know of a way to get rid of this VIRUS? Thanks BTW one of the programs that MSAV says is infected is the mem command. (mem.exe) However I have been using this command quite a lot without any problem. Another file that is infected happens to be SETVER.EXE. When I load this in my config.sys, my PC hangs after executing it when booting. - ------------------------------------------------------------------------------------ Hassan Toorabally Matsushita Electric Industrial Co. Ltd. Osaka Japan. Tel:06-906-4929 E-Mail:hassan@isl.mei.co.jp ------------------------------ Date: Thu, 06 Oct 94 04:42:33 +0000 From: cs911035@ariel.cs.yorku.ca (CHRISTOPHER M. ACKNEY) Subject: Virus...lost and found (PC) I experienced some trouble two months ago which I atributed to a virus... The system basicly shut down due to overuse and was chugging like a steam train going up mt.Everest. Why you ask....? Because every bloody letter on the screen was flashing a different colour. I got my roomate to post here and thankfully got many helpful replies... those and a look in my autoexec told the drear tale. the last couple of lines from the autoexec..... c:\qemm\loadhi /r:2 /res=6048 /sqf print /d:lpt1 ver rem dosshell c:\hdlns c:\gnomes/s c:\pcf SET MEM=4000----------------> it was these little smartdr ---------------------> boogers right here... set to gobble at a particulair time..... How it happened? Who knows....but several scanners I used caught nothing... anyway getting rid of both these lines and the file made everything fine.... SO............ Thanks to everybody who responded.... I know that little bit more about viri and feel (a little ) safer Neil Sinclair ------------------------------ Date: Thu, 06 Oct 94 03:02:05 -0400 From: jgotobed@lpl.arizona.edu (Joe Gotobed x4549) Subject: ? HLLC.16850 (PC) McAfee v.2.1.1 SCAN.EXE reported "HLLC.16850" virus found in a file on a DOS (v6.2) machine that had lost some files unexpectedly. Apparently McAfee Co. was notified & they weren't familiar with the report. I'll get more first hand details in the morning. Could anybody comment on the seriousness of this? We've issolated the file in question. Thanks, Joe Joe Gotobed Internet (joe@arizona.edu) Network & Systems Manager Lunar and Planetary Laboratory University of Arizona Unix Users Group/General Access Systems Tucson, AZ 85721 (602) 621-4549 ------------------------------ Date: Thu, 06 Oct 94 04:36:20 -0400 From: mcafee@netcom.com (McAfee Associates) Subject: Re: Monkey.Stoned virus on multimedia 486 won't go away... (PC) Hello Mr. Berger, You write: >Boot-sector virus that acts just like the NOP we had previously on our campus. >System is running DOS 6.0 and it's a 486/66 with a 300+ Meg internal SCSI >drive. > >Tried FDISK/MBR to no avail. Tried F-Prot and CLEAN with no effect. F-Prot >says to boot from a clean disk. When I do this, it "disengages" the hard drive >so the system doesn't recognize it. Reboot from the hard drive and the drive >"pops" back to life as if nothing happened. [...deleted...] This is normal behavior for the Monkey virus. It ciphers the partition table of data on the hard disk and only deciphers when the virus is run by booting from an infected disk (hard disk or floppy). When you boot from a clean (virus-free) copy of DOS, attempting to access the hard disk using DOS will result in "invalid media" error messages. To remove the virus using CLEAN-UP V117, boot the PC from a clean DOS system-bootable diskette, insert the diskette with CLEAN.EXE on it, and run it by typing: CLEAN C: [MON] /MAINT and pressing Enter. To remove the virus using VirusScan Version 2.1.1, boot the PC from a clean DOS system-bootable diskette, insert the diskette with SCAN.EXE, SCAN.DAT, NAMES.DAT, and CLEAN.DAT on it, and run it by typing: SCAN C: /CLEAN and pressing Enter. Please let me know by e-mail if you have any further questions. Regards, Aryeh Goretsky Technical Support - -- - - - - - - - Please send your reply, if any, to Aryeh@McAfee.COM - - - - - - McAfee Associates, Inc. | Voice (408) 988-3832 | INTERNET: mcafee@netcom.com 2710 Walsh Ave, Suite 200| FAX (408) 970-9727 | or try: support@mcafee.com Santa Clara, California | BBS (408) 988-4004 | CompuServe ID: 76702,1714 95051-0963 USA | USR HST Courier DS | or GO MCAFEE Support for McAfee anti-virus, network management and help desk software. ------------------------------ Date: Thu, 06 Oct 94 10:55:07 +0000 From: jshaw@ozemail.com.au (John Shaw) Subject: Smile Again virus (PC) Does anyone know anything about this virus... and how to get rid of it ? ------------------------------ Date: Thu, 06 Oct 94 08:46:15 -0400 From: lrxi00@icts01.Kodak.COM (James Nonnemacher) Subject: MONKEY 2 (PC) Does anyone know how the MONKEY 2 virus is propagated? Also, is there a FAQ for this group and if so, it's location. And one last question, is there a comprehensive book on known viruses that describes how they work, how they're transferred from PC to PC and the best way to get rid of them. Thanks in adavance for any information. ------------------------------ Date: Thu, 06 Oct 94 10:58:12 -0400 From: tavo@gulf.net (tavo) Subject: Re: GenB Virus - Need Help! (PC) > >TO: spdaley@undergrad.math.uwaterloo.ca > > McAfee 2.01 GenB at 960k >There should be a clean program with mcafee - find out how to use mcafee to >clean the virus and you should be able to erase it. > I work at a Com.College and have had many "attacks" by GenB / Stealth viruses. We registered McAfee and found that the 2.x versions DO NOT test for the virus in memory as well as the older versions (116 / 117 ...). McAfee changed their virus engine and in the process removed something that tests for the virus even when "stealthed" in memory and on the boot or partion sectors of the hard drive. I know that some of the attacks get through but I have tested it with known infected floppys and harddrives and the ONLY package that would detect the virus under almost ALL conditions was v117. BTW if you have a "boot/partion" sector "saver" program and use that BEFORE you allow access by students to each machine then you can boot from a clean disk and restore the boot/partion sectors, scan the hard disk and that should fix the problems. On students disks you can do the same thing for each type of disk 720k / 1.44m and restore the boot sector to the student disk and scan it that should fix their disk. That's a lot faster and simpler than using CLEANv117. Tavo ------------------------------ Date: Thu, 06 Oct 94 13:19:36 -0400 From: cs000rrs@selway.umt.edu (Ryan R Snyder) Subject: Possible new virus! (PC) I have come across what seems to be a new virus. When I run SCAN117 across the floppy it's on there is nothing found, but when I use F-PROT 2.13a and 2.14 I get the message: "Scanning boot sector A: Boot infection: RM - unknown." I am then asked if I wish to disinfect. I choose yes and am told that "this virus can't be removed by this version of the program." Does anyone know how to deal with this virus? If not, how should I go about submitting it to the writers of F-PROT and SCAN? Thanks in advance for your help! - -- Ryan Snyder, Consultant & Gopher Admin | "I've never seen a bigger group of U of Montana | collectively angry, humorless, [Oct 8th-IT'S TIME! Ask me for details]| arrogant, bitter, gloomy-gus, pinback@access.digex.net re:netizens--> FROWNY-FACED people in my whole life." ------------------------------ Date: Thu, 06 Oct 94 13:20:28 -0400 From: kitten@sneeze.resp-sci.arizona.edu (Bruce Saul) Subject: HLLC.16850 (PC) Does anyone have knowledge of this virus. It appeared on a dos v6.2 machine in another department. The systems administrator over there reported the loss of a few files. Sorry to make such a sketchy report, but that is all the information I have. Bruce W. Saul kitten@resp-sci.arizona.edu Bruce / kitten@sneeze.resp-sci.arizona.edu Tucson / heart of the American Southwest -3 hours US east coast -2 hour central time zone +0 hour california time \|/ /\ -O- /**\ /|\ /****\ /\ / \ /**\ Here there be dragons / /\ / \ /\ /\ /\ /\ /\/\/\ /\ / / \ / \ / \/\/ \/ \ /\/ \/\ /\ /\/ / / \/ \ / / \/ /\ \ / \ \ / \/ / / \/ \/ \ / \ \ / / \/ \/\ \ / \ / / \ __/__/_______/___/__\___\__________________________________________________ ------------------------------ Date: Thu, 06 Oct 94 14:04:59 -0400 From: (Derek Knight) Subject: Monkey Virus ****** Possible FIX (PC) We have found several computers here in Austin with this nasty virus. Any drives connected will be INFECTED. So, until we can find more info on this one, here is an UNTESTED home brew: POSSIBLE FIX TO MONKEY VIRUS: 1- Boot from clean floppy 2- FDISK / MBR 3- Run Norton Disk Doctor 4- do a REBUILD 5- Use diagnosis to find DOS partitions 6- Reboot Good luck! (Once again, this is untested. Try at your own risk. Tape Backup is recommended) If somebody finds a better (or workable solution), please feel free to call: CompuHouse Computers 512-451-5313 Derek Knight DKnight@mail.utexas.edu ------------------------------ Date: Thu, 06 Oct 94 15:54:10 -0400 From: byoon@red.seas.upenn.edu (Baryn Yoon) Subject: Update: WPWIN6.0 and NATAS (PC) I wrote about detecting NATAS on disk 5 of WordPerfect for Windows 6.0. It turns out that it was a false alarm. Vi-Spy 12.0 release 8.94 was the problem, but the updated release 8.94a fixed this error. Thanks to all of those who emailed. - - baryn yoon byoon@eniac.seas.upenn.edu ------------------------------ Date: Thu, 06 Oct 94 17:17:22 -0400 From: "David M. Sibell" Subject: Re: vds30p.zip - AV package w/scanner, integrity checker etc. (PC) tyetiser@gl.umbc.edu writes: > I have uploaded to the SimTel Software Repository (available by anonymous > ftp from the primary mirror site OAK.Oakland.Edu and its mirrors): > > SimTel/msdos/virus/ > vds30p.zip AV package w/scanner, integrity checker etc. > I've downloaded this product and it seems to run pretty well. Does anyone else have an opinion on it? Has anyone caught/prevented anything nasty with it? Please post or mail to dms6m@virginia.edu ------------------------------ Date: Thu, 06 Oct 94 23:02:22 +0000 From: jlivings@crash.cts.com (John Livingston) Subject: unknown virus (PC) I've got a friend that has just been hit by a virus, and neither McAffee, F-protect, or MS-antivirus has detected it. He keeps getting "o"'s scrolling diagonally over his screen over-writing any text on the monitor. Does anyone have any idea's what this might be or how to clean it? thanks! John Livingston _________________________________ Sysop, Livingston's Discovery BBS jlivings@discovr.cts.com ------------------------------ Date: Thu, 06 Oct 94 19:05:07 -0400 From: s1nilesh@iss.nus.sg (SE1 - Nilesh Kantilal Sahita) Subject: Help: Stuck with [GenP] virus (PC) My PC seems to have been stuck with some [GenP] virus (as reported by the Anti-virus program). I removed the virus (at least the Anti-virus program told me so), but looks like the FAT is in damaged condition. The problem is like this - let say I have a directory XYZ. I have copy of my root directory under XYZ. Hence, I seem to have recursive directory structure like: / /ABC /XYZ /ABC /XYZ /ABC /XYZ ... Appreciate if you can tell me how to get rid of this problem. Before I removed the virus, I used to encounter 'Sector not found' error when I tried to access files on the hard disk. Thanks. - -- - ------------------------------------------------------------------------ Nilesh Sahita | Institute of Systems Science E-mail: s1nilesh@class.iss.nus.sg | National University of Singapore - ------------------------------------------------------------------------ ------------------------------ Date: Thu, 06 Oct 94 19:59:02 -0400 From: mshmis@world.std.com (MSH MIS) Subject: EXEBUG is getting meeeeeeeee! (PC) Please help me with Exebug. Scan V117 finds it, Clean says it cleans it. V2.1.1 finds it and says a cleaner doesn't exist. Traces are found in Memory even if I boot with a floppy disk. Now the computer I am working on has an unreadable partition table. I hope the user has backups! I posted yesterday but I don't see it. I really need some help. Greg Frick Gfrick@msh.org ------------------------------ Date: Thu, 06 Oct 94 20:16:17 -0400 From: cook cornelius john Subject: Unstoppable virus? (PC) What if there was a virus that used MSDOS's int21 backdoor to execute all of it's file handling calls? In-memory virus protectors wouldn't be able to detect it or stop it. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Cornelius "Case" Cook c-cook@ux5.cso.uiuc.edu cocook@nyx.cs.du.edu I speak for nobody but myself and my pet frog. "The devils of truth steal the souls of the free." - ]\[ i ]/[ DASA ------------------------------ Date: Fri, 07 Oct 94 00:06:21 -0400 From: p_molloy@smcvax.smcvt.edu (Philip Molloy) Subject: Something I found (PC) To whoever is curious I found something interesting on my computer today. a file called tata.wri Instead of going into windows I dumped the file to the screen using the type command. What I saw were the words "I am infected with a virus" (all caps) for a few lines, and then the same message in reverse. underneath that was the message "...but I would rather have a urine sample instead" and then the garbage you see when you dump .exe files to the screen. After this windows would not work properly, I got the title screen and then it hung. Mcafee 117, and msav turned up nothing. any help is appreciated -Phil Molloy __________________________________ Philip William Molloy / __________________________________________ p_molloy@smcvax.smcvt.edu \ / Phone: (617) 341-4721 p_molloy@smcvax.bitnet / \ Paper: Box 3050 molloy@gnu.ai.mit.edu \ / Saint Michaels College - ---------------------------------- \ Colchester V.T. 05439 ------------------------------------------ Never be led astray onto the path of virtue. ------------------------------ Date: Fri, 07 Oct 94 09:32:05 -0400 From: mshmis@world.std.com (MSH MIS) Subject: Exebug won the battle (PC) I lost access to the HD completely. The symptoms were strange. The virus was detected in memory even when I booted from a clean, write protected boot diskette. It must've been that moment during boot up where the the HD light flashes briefly. That must've been enough to put traces in Memory. I tried NDD which saw (version 8) no problems with the HD. When (intermittantly prior to the ultimate failure) the HD was not recognized Norton DD could also not recognize it and fix it. I am really sorry that this newsgroup was unable to receive and respond to my cries for help within a day or two. In fact as I write this note the first of my three posts hasn't even been posted. Being a moderated group I am not even sure they will be posted now that I have said this. In the same time I have received six helpful responses to an e-mail problem I was having with an address in Finnland. If anyone has some ideas how to prevent terrible viri like exebug let me know. Thanks, Greg Frick Gfrick@msh.org Newton, MA USA ------------------------------ Date: Fri, 07 Oct 94 19:14:14 -0400 From: lstolwyk@uoguelph.ca (Len Stolwyk) Subject: can't run new exe files (PC) my friend's computer had the JOSHI virus, which was successfully removed by mcafee 117. however, since then no new programs loaded on have been able to run. the one i put on to test (a recipe database shareware program) says 'not enough memory', even though the computer has 8 meg, 486 66, and i know the program works because i ran it on mine. i have run norton disk doctor, no problems reported, nothing appears to be amiss, but still this program, and others loaded on since, simply won't run. any ideas or suggestions would be appreciated, either here or email. thanks - -- len stolwyk lstolwyk@uoguelph.ca bd903@freenet.carleton.ca ------------------------------ Date: Fri, 07 Oct 94 22:23:13 -0400 From: Simon_Cheung@kcbbs.gen.nz (Simon Cheung) Subject: Anti-CMOS Virus Infection - HELP! (PC) Using the latest version of scan V.2.1.1., one of my computers was found to be infected with the "Anti CMOS" virus. Previously, version 117 of scan identified the problem as a generic MBR virus. As a remover was not as yet available with V.2.1.1. of scan, does anyone know of what solutions I have, as I'd like to regain the use of the computer. Many thanks! S.C. PS. The system is a Compaq Concerto, running Dos 6.2. ------------------------------ Date: Fri, 07 Oct 94 23:08:09 -0400 From: ruben@ralp.satlink.net (Ruben Arias) Subject: Re: Looking for specific-purpose virus scanner (PC) Mark Mckenzie 30 Sep 1994 11:08:44 Wrote: > I am looking for a virus scanner that can be used with a network that > scans periodically all files entering the system. If there is a syst > out there that only operates when the network isn't busy, that would be > even better. I never seen in market this kind of product. You have here two big problems to solve: 1) When a system is NOT busy. In many cases Networks are Non-stop systems. 2) How affect your performance a product that scans all files (if exists) entering the system. Otherwise you can run a programs that launch the anti-virus at specific hours (those in which Network have less activity) and the antivirus should save a kind of LOG that'll be read for you next morning. > Something like a virus shield isn't exactly what I want, because the > program should be tranparent unless a virus is found. Many shields or "Behaviour Blockers" (to call them technically) works in the background and are transparent to users and supervisor. You may try: * Netshield of McAfee. * Intel LANProtect of Intel [US line (800)538-3373. About McAfee I suppose the actual version of Netshield is 117 (Maybe 118?). About Intel the last version I see is 1.5. Kind regards Ruben Arias - ----------------------------------------------------------------------------- Ruben Mario Arias |> /| | |> |\ | | |_ | E-mal: ruben@ralp.satlink.net RALP - Computer Security - Virus Buenos Aires, ARGENTINA. - ----------------------------------------------------------------------------- ------------------------------ Date: Sat, 08 Oct 94 01:49:45 -0400 From: Zeppelin@ix.netcom.com (George Paulsen) Subject: Re: VCL?? (PC) theoj00@DMI.USherb.CA (JEAN-FRANCOIS THEORET) writes: >Does anyone know where can be found the VCL (Virus Creation Vibrary)? Should >we really be alarmed about the emergence of such products? Are you kidding me. Where have you been. I have VCL 1.2 , VCL 1.5 / VCL 1.7 and the newest VCL 2.0 . VCL 1.2 is almost 3 years OLD, and VCL 2.0 is about a year old, if my memory serves me well. Nowhere Man, a fellow called SETH from Chicago wroth the VCL's, (I have voice with him on many occations). He was only 15 years old when he wrote the first VCL. VCL 2.0 was released by ARiSToTLE of NuKE in December or 1993. It was the first of the Windows type of VCL programs. It was writen with the help of Screaming Radish of NukE, as well as Phrozen Doberman of the Austrailian branch of Nuke. VCL viruses can be detected by alomost all of the leading virus AV programs; ie; F-prot/TBAV/VirX. The VCL's are on every major Virus sites such as ; Hell Pit/West Coast Institute of Virus Research/ Black Axis/Cybernetic Violence/ and any other NuKE/Phalcom Skism site. If you want further information, E-Mail me with such request. -Zep- ------------------------------ Date: Sun, 09 Oct 94 11:36:24 -0400 From: mlstokes@unity.ncsu.edu (Michael Stokes) Subject: V-Sign Virus (PC) Can anyone tell me anything about the V-Sign Virus? I recently discovered it on one of my systems and was able to disinfect with F-Prot, but there wasn't any info about it in his virus list (v2.14). Any info would be appreciated. ------------------------------ Date: Sun, 09 Oct 94 03:25:04 -0400 From: palam@delphi.com Subject: Help please: Monkey? (PC) I use Norton Antivirus to check my computer and see the "Monkey" virus message. What is that? If anyone know how to get rid of it, please give me a hand. ------------------------------ Date: Sat, 08 Oct 94 15:24:05 -0400 From: mnaber@earth.execpc.com (Mark Naber) Subject: ACID.COM & RAMCHECK.EXE (PC) I have been notified that the files ACID.COM and RAMCHECK.EXE are viruses. I have scanned the files with both MCAFEE and THUNDERBYTE and F-PROT and none of them detect those files as viruses. The Ramcheck.exe is 9,172 in size and a date of 7-26-92. The ACID.COM is 385 in length and a date of 6-17-91. Has anyone had any intervention with the following files? Thanks. ------------------------------ Date: Sat, 08 Oct 94 07:17:58 -0400 From: Iolo Davidson Subject: Whisper Virus question (PC) qureshi@ug.cs.dal.ca "Saqib A Qureshi" writes: > Now all exe's on my HD are write protected This is of no use at all for general virus protection. Almost any virus can change the file attributes itself to allow infection. - -- TO A SUBSTITUTE NOTHING HE GAVE A TRIAL BUT HIS SMILE IT TOOK OFF Burma Shave ------------------------------ Date: Sat, 08 Oct 94 23:46:30 -0400 From: Ben Humphreys Subject: KOH - The useful virus? (PC) Over the past few weeks I have seen many comments regarding the KOH virus. Is this the same virus that encrypts your hard drive using the IDEA algorithm? Sure it can be classified as a virus becasue it spreads itself, but is serves a purpose! How come it is being discussed here? Does it cause some sort of damage? I downloaded it just in case I ever needed to use it, but now I am concerned about it. If someone could clear things up I would be very grateful. Regards, Ben Humphreys ------------------------------ End of VIRUS-L Digest [Volume 7 Issue 85] *****************************************