VIRUS-L Digest Friday, 4 Nov 1994 Volume 7 : Issue 91 Today's Topics: alt.comp.virus has been created A Opinion On Viruses and the Computer Enviroment REQUEST: SIG Security in Sweden is compiling antivirus/virus information Re: Is it possible to pass a virus in graphic files? Re: Unix viruses and Internet worm (UNIX) Natas and OS/2 dual boot machines (OS/2) Untouchable & V-analyst 3 (PC) Experiences with VFind by CyberSoft Requested (PC) Re: stoned - Monkey (PC) Re: The InVircivle Anti-Virus Expert System v6.01 (PC) Re: invb601.zip - The InVircible Anti-Virus Expert System v6.01 (PC) Re: VCL?? (PC) Re: Info on "Kampana"? (PC) Help Please! Possible B1 infection on system (PC) Re: Thunderbyte anti-virus - how good? (PC) Re: Looking for Dr. Solomon upgrade (PC) Re: Forms Virus (PC) NYB / B1 virus: Here's what it does (PC) Re: HELP with form virus / FAQ (PC) Virus writers? (PC) KOH re-posting alt.security.pgp (PC) KEEPER.LEMMING virus remover? (PC) re: Virus: Leandro and Kelly! GV-MG-BRAZIL (PC) Re: KOH is not destructive (PC) SYSTEM.INI (PC) HELP with form virus / FAQ (PC) FORM virus Info wanted (PC) memory scanning (PC) Exebug apparently surviving boot (PC) Help IRISH virus on CD (PC) MtE virus (PC) The truth about the CD-ROM (PC) KOH is not destructive (PC) Strange messages from Winword (PC) Virus named Jack Ripper (PC) israeli boot and McAfee VSCAN117 and CLEAN117 (PC) Virus desactivation or cleaning (PC) KAOS4 (PC) Re: re:JUNKIE VIRUS (PC) Re: Rebuilding Partition Table? (PC) Re: NYB [Gen B] virus detected. (PC) Freddy virus again (PC) Windows CLEAN? (PC) Re: DOOM II (PC) Re: Removing boot sector virus from B: (CANSU/V-sign) (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CORSA.UCR.EDU (IP number 138.23.166.133) or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CORSA.UCR.EDU. Administrative mail (e.g., comments, suggestions, beer recipes) should be sent to me at: krvw@ASSIST.MIL. All submissions should be sent to: VIRUS-L@Lehigh.edu. Ken van Wyk ---------------------------------------------------------------------- Date: Thu, 27 Oct 94 15:33:00 -0400 From: wengerm@iia.org (The Germ) Subject: alt.comp.virus has been created If you get the alt groups there is now an unmoderated group alt.comp.virus - -- http://www.iia.org/~wengerm/wengerm.html "If you're not crankin' it, you must be yankin' it." - - anonymous radio station plug ------------------------------ Date: Fri, 28 Oct 94 07:04:15 -0400 From: Stopps J L Subject: A Opinion On Viruses and the Computer Enviroment A Opinion On Viruses and the Computer Enviroment ================================================ One thing that we are all very aware of is the fact that computer viruses are certainly here to stay, in one form or another, the mechanical Pandorra's box has been opened and the only thing to do is to be aware. Some members of this digest and indeed the computer community feel that the need for good/friendly viruses, would lead to a helpful side of viruses to the computing world. I dispute this. The computer world and enviroment seems to be pushing it's self pass the boundaries of being a systematic tool, indeed the computer community views the computer nets as more a way of life than as an adventagous business weapon. It is this computer world that is progressing so fast, that we are ignoring the problems it could cause. That trying to create a computer world too close to our own would be computer distructive. In the context of the good viruses, it is comparible to the work done by current day real life doctors and scientists. Useful virus are used to effectively over come problems that the biological system can not beat alone. Similarly the computer virus writer, of the 'good' virus feels that he/she is doing something useful to the community. There are quite clearly many problems with this approach. The first problem I feel is this : 1) In the real world all vacsinations using virus strains are closely monitored, the individual is subjected to the virus is given regular check ups and it is attempted to stop the virus leaving the body of the patient. This is not possible with computer viruses as there are too many problems ways the virus could get out into the world as a whole population instead of just a few computers or a single network. 2) The current day doctors prefer to use non-virus vacsination unless there is no other method of cure or vacsination. If this is the case the vascinations/curing is done on a population scale. How could we do this with computer viruses ? Why use a 'good' virus when an easy to use, controllable program would do the same job ? 3) The use of over immunising on a human/biological results in the life form not evolving itself into a form that has NATURAL PROTECTION against the specific illness. Does this not illustrate to us that the computer world needs to consentrate itself more on the architechure and OS evolving into having it's own form of NATURAL DEFENCE against computer viruses than to try and keep the virus facility active while endangering the computer community. These are of course just my views and they are no doubt ignorant in many ways, for this I invite mail on the subject for conversation to < stopjw@essex.ac.uk > ******************************************************************************** JULES :- " A nightmare is just a dream you don't want." ******************************************************************************** ------------------------------ Date: Sun, 30 Oct 94 15:29:21 -0500 From: perra@telia.se (Per-Erik Eriksson) Subject: REQUEST: SIG Security in Sweden is compiling antivirus/virus information I am part of a workgroup of SIG-Security of the Swedish Computer Association (Svenska Dataf=F6reningen) which is a non-profit organisati= on. We are in the process of compiling information on where to find: COMPUTER ANTI-VIRUS / VIRUS INFORMATION - - Manufacturers; complete address/contact information - - Researchers; complete address/contact information - - Magazines; complete address/contact information, subscription prices - - File repositories - - Places where virus/antivirusinformation can be found - - WWW/Gopher-servers - - FTP-sites - - appropriate News-groups / mailinglists / IRC - - FAQ-repositories (- Is there anything I=B4ve forgotten? then please add it to this list.= To persons/organisations/companies: Do you maintan virus / antivirus-information? Where is it? Is access freely granted or are there special rules or charges connected with access to the information? The reason behind this is that we are going to compile, print and present this information at a conference in Sweden later this year.= We are probably also going to make this information available via a WWW/Gopher-server in Swedish (perhaps in English as well). Any and all information is welcomed. Suggestions or questions are also welcomed of course... Please respond by e-mail. Per-Erik Eriksson Internet e-mail: perra@telia.se X.400: G=3Dper-erik; S=3Deriksson; I=3Dpee; O=3Dwest; P=3Dtelia; A=3D40= 0net; C=3Dse Telia AB, Region West, S-403 35 G=F6teborg, Sweden Int: +46 31 770 18 79, Fax: +46 31 114957 ------------------------------ Date: Mon, 31 Oct 94 12:19:14 -0500 From: jmccarty@spd.dsccc.com (Mike McCarty) Subject: Re: Is it possible to pass a virus in graphic files? Mark S. Scheid wrote: )I was told that all binary picture files must be scanned for virus infection. ) )I don't understand how a program that reads and displays binary data can pass )an infection contained in the graphic data file. ) )What is the deal? Is it possible? While a graphic image may indeed contain the object of a virus (say a really stupid virus which mistakenly infected such an image), scanning for it would be pointless. Only code which is eventually executed can damage or infect (possible exception: ANSI bombs). Mike - ---- char *p="char *p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);} ------------------------------ Date: Thu, 27 Oct 94 12:38:05 -0400 From: diffeq@netcom.com (Michael Dunn) Subject: Re: Unix viruses and Internet worm (UNIX) The internet worm virus is extremely interesting as in how it attacked and it's design. For into you can FTP to: nic.funet.fi /pub/doc/security/worm/* There is also a good book out called 'Virus!' ... check it out (literally, your local library might have a copy). Mike diffeq@netcom.com ------------------------------ Date: Thu, 27 Oct 94 12:39:48 -0400 From: sotiris.baxevanis@intelsat.int Subject: Natas and OS/2 dual boot machines (OS/2) Hello, does anyone have experience dealing with Natas on an OS/2 dual boot machine? Natas attacks the Boot Manager partition and is undetecteable with McAfee both OS2SCAN and SCAN (latest version 2.1.12). In fact the only way to know that your machine has been infected is to check the physical disk through a Norton DISKEDIT or something similiar at offset 467, cyl 0, side 0 and the previous to the last sector for the text string "Natas". In more simple terms simply run DISKEDIT goto the very first sector on your disk and do a text search for that string. thanks please post any replies or email to Sotiris.Baxevanis@intelsat.int ------------------------------ Date: Tue, 11 Oct 94 17:29:00 +0200 From: Amir_Netiv@f120.n9721.z9.virnet.bad.se (Amir Netiv) Subject: Untouchable & V-analyst 3 (PC) Im Haq writes: > I have been a registered user > of your Untouchable product for over TWO years, and > would like to continue to receive updates, whenever they become > available. I'm sorry to break the news to you: Untouchable does not exist anymore ( Symantec bought 5th Generation). It's been terminated. Regards ;-( Amir Netiv. - --- * Origin: <<< NSE Software >>> Israel (9:9721/120) ------------------------------ Date: Thu, 27 Oct 94 10:31:19 -0400 From: raschnei@cacd.rockwell.com (Robert A. Schneider II) Subject: Experiences with VFind by CyberSoft Requested (PC) We're looking at the Unix-based VFind Virus Scanner product from CyberSoft, Inc. I'd like to hear from anyone using the product or having experience with the company or the company principal (Peter V. Radatti). Please e-mail me directly to reduce loading on the newsgroup. Bob Schneider Enterprise Network & Computers ras@cacdvax.cacd.rockwell.com Technical Planning Team raschnei@cacd.rockwell.com Rockwell International ras@131.198.128.114 400 Collins Road NE M/S 106-103 Cedar Rapids, IA 52498 Voice: 319/395-3863 Comments expressed are strictly my own and are not to FAX: 319/395-5999 be construed as statements endorsed by my employer. ------------------------------ Date: Thu, 27 Oct 94 11:53:38 -0400 From: dlgarcia@dorsai.dorsai.org (David Garcia) Subject: Re: stoned - Monkey (PC) Kahrs, Christian 7-95 (kahrs@gribb.hsr.no) wrote: : To anyone out there : I have a problem with my PC. I'm stoned.... by monkey and not : something good. : What can I do to get rid of this problem????? I just had that on my laptop last night. It hits the boot sectors of the hard disk and the floppy drives. I tried using clean-up to remove it from a floppy, but it said that it couldn't safely be removed. I had a day off today anyway, so I decided to: a) check for it on floppies (5 out of 40... not bad) b) re-format the hard drive (not such a big problem, it's a small drive) c) re-install my software and essential files (yes, you DO need to keep good backups. Saved my ass this time...) So, back to normal, but a little disappointed in the Clean-Up program. Would have been nice just to pry that Monkey out of there. What would it have done if I left it there? No idea. I don't think I've had it more than a week or two, judging by the floppies it hit. But all things considered, I would rather have spent the day at the mall... - --- David Garcia (dlgarcia@dorsai.dorsai.org) ------------------------------ Date: Thu, 27 Oct 94 14:36:29 -0400 From: rc.casas@ix.netcom.com (Robert Casas) Subject: Re: The InVircivle Anti-Virus Expert System v6.01 (PC) frankj@tv.tv.TEK.COM (Frank Jazowick) writes: > I just have heard about the 'new' anti-virus program called >The InVircivle Anti-Virus Expert System v6.01... > > It just came out of Israel and is being used by Australia and >New Zealand. > > So as anyone heard of this program and how good it is as >compared to well-known shareware and commerical anti-virus >programs????? Hi Frank: I just sent this off in reply to another post about InVircible. You might find it interesting , too. >Hi readers..... > I just read about invb601.zip - The InVircible Anti-Virus Expert System > v6.01, and how good it is........ > Now up to this point, I know that F-Prot was just about equal or one of > the best anti-virus shareware programs around..... So does anyone know > about this invb601.zip program and how good/reliable it is and so on?? > I just downloaded it and am waiting for feedback from you readers to > comment on this.. I'm curious. Where did you read about InVircible? F-PROT is a very good scanner. So, too, are TBAV and AVP. However, InVircible is not really an AV product designed around the concept of "scanning" to detect viruses so that you can remove them. This is probably one of the most difficult ideas that people familiar with traditional AV tools - such as F-PROT, TBAV, and AVP - will have to deal with to understand and accept InVircible. InVircible does have a virus scanner (IVSCAN) but it is designed to detect common viruses. Also, it does not work with "signatures" or "heuristics" in the way most "scanners" do. In any case, IVSCAN is not the most interesting or powerful feature of InVircible. As the author of InVircible wrote in several echo posts, IVSCAN would have been removed from the package, accept for the fact it also has a role in the generic approach of InVircible. In fact IVSCAN is the platform for several of these generic techniques such as "inverse piggybacking", piggybacking sensing, and the generic recovery from boot and mbr infections, of both hard disks and floppies. The scanner is just a bonus :-). InVircible uses a "layered" approach to AV. During installation your system is first scanned for common viruses with IVSCAN. Then your executable files are "secured" by creating a database file containing critical information about each of your executables. This is done with the program - IVB. This information can later be used to detect any virus related alteration of the executables. This is not a traditional "integrity checking process." IVB (actually all of the InVircible package) uses "generic methods" to protect your system. IVB does not "check" for any and all kinds of changes to your executables, your BOOT/PARTITION, and system files. Rather, it checks for the kinds of file modifications specific to the actions that viruses perform on your system. To take only _one_ example. If an executables "entry point" has been changed, and the change is of a specific type, then it is very likely that a virus has altered the file. Many other kinds of changes can occur to an executable during normal operation that are perfectly innocuous. IVB's generic form of "integrity checking" will _not_ identify such normal changes as due to virus activity. The net benefit of this is that IVB will rarely if ever generate "false alarms" just because a file has been changed in a normal and trivial manner. This is very different than what occurs with traditional "integrity checkers," that generate warning files any time a file has changed in _any_ way. You have to do a lot of guessing, or have a very detailed memory and understanding of all the files that can change on your system to use "strict" CRC based integrity checkers effectively. The database files can also be used to "restore" the executable's to their original state - byte for byte right down to the date/time stamp in the event the executables have been damaged (but not when they have been mostly overwritten) by a virus. This "restore" function is only available in the registered version of InVircible, not the freeware version (yes, freeware - there is not a limited evaluation period for use of InVircible in what is called it's "Sentry Mode"). Once your system has been "secured" your CMOS/MBR/PARTITION, system files and configuration data are copied and stored both on the hard drive and on floppy if you wish. They can be "recovered" if damage occurs to these areas of your system either due to a virus or accident. The RESQDISK program accomplishes this. This "recover" ability is fully functional in the freeware version of InVircible. InVircible does not need to be registered for you to recover your MBR/CMOS/PARTITION, system, and configuration files in the event they are damaged by a virus or by mishap. Install InVircible, now, if only to have this available to you in the event you need it! :-). During installation, InVircible will make two modifications to your autoexec.bat file so that IVB's generic integrity analysis will run on your system, either once a day ( not every re-boot ) or once a week. IVB is a program that executes and then terminates in a matter of seconds. It is not a TSR or a device driver so running it from your autoexec.bat will not interfere with any of your other programs. What a relief. I have never been able to get an AV TSR to run on my system without it slowing the system or interfering with other programs. If you want, you can run IVB from the command prompt at any time - which is something you should do if your system appears to be acting atypically. You know the scenario right? :-) In a matter of a few seconds ( about 40 -45 on my two drives containing a few thousand files ) IVB will generate a report if any virus-like alterations to your system or files have taken place. It's fast. InVircible also uses a program called IVTEST. This module does several things. One is it sends a probe into RAM simulating the execution of a program file. If there is a memory resident virus active, this "probe" will be modified and IVTEST will report this immediately. If the "probe" has not been "attacked" by a virus IVTEST immediately terminates and your system is unencumbered and you go on computing. If the probe has been modified in a virus like manner, or if IVTEST determines that system RAM has been reduced from it's baseline you will receive an alert identifying the nature of the change that has taken place. IVTEST examines more than just whether the "probe" gets attacked. It will also do, for example, an a boot/MBR check, sample available system RAM resource levels, look for "boot spoofing," and launch probes or "baits" to see if they get "attacked" by a memory resident virus. You can execute IVTEST from a few strategically chosen files in "quiet" mode so that IVTEST will perform these types of examinations throughout the day. Again, it is important to note that IVTEST is not a TSR. It executes and then terminates in about a second [ when there is no virus resident :-) ] on my 486DX2-66 and is not noticeable at all if run from batch files. Two remarkable features of IVTEST, and of InVircible in general, are its self-restoring capability, and it's sensing the presence of stealth viruses. IVTEST will sample many stealth file viruses, and all boot/mbr infectors. The InVircible's programs will restore themselves if attacked by a virus, "stealthy" ones too. This is necessary since these programs use themselves as a bait during various phases of their operation. If IVTEST gets "attacked" the program restores itself and then the virus code that has been excised will be dropped into a file to be used later as a virus "sample" to be used with the correlator - IVX. An amazing new tool included with InVircible is the program called IVX, or the "hyper-correlator." IVX, in concert with IVB, IVTEST, and DOS can be used to detect, locate, and remove completely new and unscannable viruses. IVX is used to perform a "similarity" analysis on your files using "samples" that can be obtained from IVTEST's "probes", from IVB's identification of "altered files" or from files you designate yourself. IVX will use the designated "sample" as a form of "index" or "baseline" and then scan your entire system, or just those directories and files you designate, to determine if there are any other files on your system that have a default, or a user specified, degree of similarity to the "sample" file (or files). The file code parameters used by IVX are both generic, or common to virus code, _and_ specific to program code identified in the "index sample" used for the analysis. If IVB identifies a file as "altered" in a virus-like manner and this file shows a high degree of similarity to several other files listed in IVX'x similarity profiles, then it is quite likely all of these files have been infected by a common virus. IVX is a very sophisticated program. You can use it in an iterative procedure to track down "unscannable" and even encrypted viruses. With simple COM/EXE infectors this can be accomplished on the first "run" of IVX. Here is a very simple example based on a test I performed using a simple COM infector last night. First, I copied all of the COM files from my DOS directory into a new directory I called "virus" ( creative, don't you think :-) ). I then generated a virus that infects five COM files in the current directory upon execution. I called this virus "mike.com." First, I "secured" the files by running IVB on them _including_ the virus file called "mike.com". I executed this virus 5 times so that all of the DOS COM files would be infected. "Mike," being a virus of "borderline to low-average intelligence" did not infect itself. This is important. Next, I again ran IVB on the files to perform an integrity check on them. All of the DOS COM files were identified as having undergone alterations suggestive of virus produced change. The important point is this: "mike.com" - the infecting virus was NOT identified as altered because it HADN"T been changed. If this is all InVircible could do this would be a problem, right? IVB identified a set of files as suspiciously altered. But it did not identify the virus file (mike.com) as altered because it wasn't! Fortunately, InVircible has the "hyper-correlator" or IVX. So I ran IVX using one of the infected DOS COM files, identified by IVB as altered, as my baseline "index sample". I ran it on both of my hard drives in a single step analysis. The similarity profiles produced by IVX identified all of the DOS com files as displaying a very high degree of similarity ( in fact 100% ). There was one additional file listed in the profile. It was "MIKE.COM." Using similarity analysis InVircible had identified the "source" of the file changes detected by IVB ( the generic integrity checker ). It was the _set_ of generic AV tools provided by InVircible that in an iterative process identified a set of files as altered in a virus like manner;and, in a second step, located the virus file producing the changes. A virus "scanner" wasn't used at any point. I finally "restored" the DOS COM files to their original condition. This is simply to illustrate a point. I am not suggesting you let viruses infect your system and track them down afterwards. There are many security procedures you can follow to prevent viruses from entering your system. One the best - using a test machine for new software - is not available to most user's. Using "scanners" alone _will_ fail at some point. Therefore, you need tools to deal with new, unknown viruses once your system has been breached. InVircible has a set of generic tools that can detect and locate new and unscannable viruses, and it has tools to recover and restore your system from the damage that may occur. This may seem like a lot of work. But it doesn't have to be. :-). If you suspect your system has been infected, just re-boot. The entire set of generic AV tools will initialize. If virus like alterations to your system have taken place, InVircible will prompt you through a series of steps to track it down. You are not, for example, just told files XXX has been altered. You will receive specific conclusions, such as " File NNN has increased in size by xxx bytes, probably just a normal file change." Or, you might receive a message stating the change is virus like and you will be prompted to perform specific further analyses using the set of generic AV tools provided with InVircible. InVircible is fairly well documented and there is plenty of useful and up-to-date information in the on-line hypertext, as well as in the manual.txt doc. The generic philosophy and techniques are explained there in a didactic and reassuring way. I think InVircible deserves a very close look by anyone interested in AV. It is quite a remarkable set of generic AV tools. - --------------------------------------------------------------------------- Robert C. Casas, Ph.D. rc.casas@ix.netcom.com < or > 73763.20@compuserve.com PGP - keyID: 18239E91 fingerprint: F0 4A EB 7E F0 B0 9A 45 A6 DE DD 51 FE 77 91 54 ___________________________________________________________________________ Created with PGP WinFront 3.0 ------------------------------ Date: Thu, 27 Oct 94 14:53:02 -0400 From: rc.casas@ix.netcom.com (Robert Casas) Subject: Re: invb601.zip - The InVircible Anti-Virus Expert System v6.01 (PC) frankj@tv.tv.TEK.COM (Frank Jazowick) writes: > I just read about invb601.zip - The InVircible Anti-Virus Expert System >v6.01, and how good it is........ > > Now up to this point, I know that F-Prot was just about equal or one of >the best anti-virus shareware programs around..... So does anyone know about >this invb601.zip program and how good/reliable it is and so on?? > > I just downloaded it and am waiting for feedback from you readers to >comment on this.. - ------------ I'm curious. Where did you read about InVircible? I'd like to see the piece. Let me know if you remember where it can be obtained. F-PROT is a very good scanner. So, too, are TBAV and AVP. However, InVircible is not really an AV product designed around the concept of "scanning" to detect viruses so that you can remove them. This is probably one of the most difficult ideas that people familiar with traditional AV tools - such as F-PROT, TBAV, and AVP - will have to deal with to understand and accept InVircible. InVircible does have a virus scanner (IVSCAN) but it is designed to detect common viruses. Also, it does not work with "signatures" or "heuristics" in the way most "scanners" do. In any case, IVSCAN is not the most interesting or powerful feature of InVircible. As the author of InVircible wrote in several echo posts, IVSCAN would have been removed from the package, accept for the fact it also has a role in the generic approach of InVircible. In fact IVSCAN is the platform for several of these generic techniques such as "inverse piggybacking", piggybacking sensing, and the generic recovery from boot and mbr infections, of both hard disks and floppies. The scanner is just a bonus :-). InVircible uses a "layered" approach to AV. During installation your system is first scanned for common viruses with IVSCAN. Then your executable files are "secured" by creating a database file containing critical information about each of your executables. This is done with the program - IVB. This information can later be used to detect any virus related alteration of the executables. This is not a traditional "integrity checking process." IVB (actually all of the InVircible package) uses "generic methods" to protect your system. IVB does not "check" for any and all kinds of changes to your executables, your BOOT/PARTITION, and system files. Rather, it checks for the kinds of file modifications specific to the actions that viruses perform on your system. To take only _one_ example. If an executables "entry point" has been changed, and the change is of a specific type, then it is very likely that a virus has altered the file. Many other kinds of changes can occur to an executable during normal operation that are perfectly innocuous. IVB's generic form of "integrity checking" will _not_ identify such normal changes as due to virus activity. The net benefit of this is that IVB will rarely if ever generate "false alarms" just because a file has been changed in a normal and trivial manner. This is very different than what occurs with traditional "integrity checkers," that generate warning any time a file has changed in _any_ way. You have to do a lot of guessing, or have a very detailed memory and understanding of all the files that can change on your system to use "strict" CRC based integrity checkers effectively. The database files can also be used to "restore" the executable's to their original state - byte for byte right down to the date/time stamp in the event the executables have been damaged (but not when they have been mostly overwritten) by a virus. This "restore" function is only available in the registered version of InVircible, not the freeware version (yes, freeware - there is not a limited evaluation period for use of InVircible in what is called it's "Sentry Mode"). Once your system has been "secured" your CMOS/MBR/PARTITION, system files and configuration data are copied and stored both on the hard drive and on floppy if you wish. They can be "recovered" if damage occurs to these areas of your system either due to a virus or accident. The RESQDISK program accomplishes this. This "recover" ability is fully functional in the freeware version of InVircible. InVircible does not need to be registered for you to recover your MBR/CMOS/PARTITION, system, and configuration files in the event they are damaged by a virus or by mishap. Install InVircible, now, if only to have this available to you in the event you need it! :-). During installation, InVircible will make two modifications to your autoexec.bat file so that IVB's generic integrity analysis will run on your system, either once a day ( not every re-boot ) or once a week. IVB is a program that executes and then terminates in a matter of seconds. It is not a TSR or a device driver so running it from your autoexec.bat will not interfere with any of your other programs. What a relief. I have never been able to get an AV TSR to run on my system without it slowing the system or interfering with other programs. If you want, you can run IVB from the command prompt at any time - which is something you should do if your system appears to be acting atypically. You know the scenario right? :-) In a matter of a few seconds ( about 40 -45 on my two drives containing a few thousand files ) IVB will generate a report if any virus-like alterations have taken place. It's fast. InVircible also uses a program called IVTEST. This module does several things. One is it sends a probe into RAM simulating the execution of a program file. If there is a memory resident virus active, this "probe" will be modified and IVTEST will report this immediately. If the "probe" has not been "attacked" by a virus IVTEST immediately terminates and your system is unencumbered and you go on computing. If the probe has been modified in a virus like manner, or if IVTEST determines that system RAM has been reduced from it's baseline you will receive an alert identifying the nature of the change that has taken place. IVTEST examines more than just whether the "probe" gets attacked. It will also do, for example, a boot/MBR check, sample available system RAM resource levels, look for "boot spoofing," and launch probes or "baits" to see if they get "attacked" by a memory resident virus. You can execute IVTEST from a few strategically chosen batch files, in "quiet" mode, so that IVTEST will perform these types of examinations throughout the day. Again, it is important to note that IVTEST is not a TSR. It executes and then terminates in about a second [ when there is no virus resident :-) ] on my 486DX2-66 and is not noticeable at all if run from batch files. Two remarkable features of IVTEST, and of InVircible in general, are its self-restoring capability, and it's sensing the presence of stealth viruses. IVTEST will sample many stealth file viruses, and all boot/mbr infectors. The InVircible programs will restore themselves if attacked by a virus, "stealthy" ones too. This is necessary since these programs use themselves as bait during various phases of their operation. If IVTEST gets "attacked" the program restores itself and then the virus code that has been excised will be dropped into a file to be used later as a virus "sample" for use with the correlator - IVX. An amazing new tool included with InVircible is the program called IVX, or the "hyper-correlator." IVX, in concert with IVB, IVTEST, and DOS can be used to detect, locate, and remove completely new and unscannable viruses. IVX is used to perform a "similarity" analysis on your files using "samples" that can be obtained from IVTEST's "probes", from IVB's identification of "altered files" or from files you designate yourself. IVX will use the designated "sample" as a form of "index" or "baseline" and then scan your entire system, or just those directories and files you designate, to determine if there are any other files on your system that have a default, or a user specified, degree of similarity to the "sample" file (or files). The file code parameters used by IVX are both generic, or common to virus code, _and_ specific to program code identified in the "index sample" used for the analysis. If IVB identifies a file as "altered" in a virus-like manner and this file shows a high degree of similarity to several other files listed in IVX'x similarity profiles, then it is quite likely all of these files have been infected by a common virus. IVX is a very sophisticated program. You can use it in an iterative procedure to track down "unscannable" and even encrypted viruses. With simple COM/EXE infectors this can be accomplished on the first "run" of IVX. Here is a very simple example based on a test I performed using a simple COM infector last night. First, I copied all of the COM files from my DOS directory into a new directory I called "virus" ( creative, don't you think :-) ). I then generated a virus that infects five COM files in the current directory upon execution. I called this virus "mike.com." First, I "secured" the files by running IVB on them _including_ the virus file called "mike.com". I executed this virus 5 times so that all of the DOS COM files would be infected. "Mike," being a virus of "borderline to low-average intelligence" did not infect itself. This is important. Next, I again ran IVB on the files to perform an integrity check on them. All of the DOS COM files were identified as having undergone alterations suggestive of virus produced change. The important point is this: "mike.com" - the infecting virus was NOT identified as altered because it HADN"T been changed. If this is all InVircible could do this would be a problem, right? IVB identified a set of files as suspiciously altered. But it did not identify the virus file (mike.com) as altered because it wasn't! Fortunately, InVircible has the "hyper-correlator" or IVX. So I ran IVX using one of the infected DOS COM files, identified by IVB as altered, as my baseline "index sample". I ran it on both of my hard drives in a single step analysis. The similarity profiles produced by IVX identified all of the DOS com files as displaying a very high degree of similarity ( in fact 100% ). There was one additional file listed in the profile. It was "MIKE.COM." Using similarity analysis InVircible had identified the "source" of the file changes detected by IVB ( the generic integrity checker ). It was the _set_ of generic AV tools provided by InVircible that in an iterative process identified a set of files as altered in a virus like manner;and, in a second step, located the virus file producing the changes. A virus "scanner" wasn't used at any point. I finally "restored" the DOS COM files to their original condition. This is simply to illustrate a point. I am not suggesting you let viruses infect your system and track them down afterwards. There are many security procedures you can follow to prevent viruses from entering your system. One the best - using a test machine for new software - is not available to most user's. Using "scanners" alone _will_ fail at some point. Therefore, you need tools to deal with new, unknown viruses once your system has been breached. InVircible has a set of generic tools that can detect and locate new and unscannable viruses, and it has tools to recover and restore your system from the damage that may occur. This may seem like a lot of work. But it doesn't have to be. :-). If you suspect your system has been infected, just re-boot. The entire set of generic AV tools will initialize. If virus like alterations to your system have taken place, InVircible will prompt you through a series of steps to track it down. You are not, for example, just told files XXX has been altered. You will receive specific conclusions, such as " File NNN has increased in size by xxx bytes, probably just a normal file change." Or, you might receive a message stating the change is virus like and you will be prompted to perform specific further analyses using the set of generic AV tools provided with InVircible. InVircible is fairly well documented and there is plenty of useful and up-to-date information in the on-line hypertext, as well as in the manual.txt doc. The generic philosophy and techniques are explained there in a didactic and reassuring way. I think InVircible deserves a very close look by anyone interested in AV. It is quite a remarkable set of generic AV tools. - --------------------------------------------------------------------------- Robert C. Casas, Ph.D. rc.casas@ix.netcom.com < or > 73763.20@compuserve.com PGP - keyID: 18239E91 fingerprint: F0 4A EB 7E F0 B0 9A 45 A6 DE DD 51 FE 77 91 54 ___________________________________________________________________________ Created with PGP WinFront 3.0 ------------------------------ Date: Thu, 27 Oct 94 17:11:18 -0400 From: Tripp@richmond.infi.net (Tripp Lewis) Subject: Re: VCL?? (PC) If, as seems from this, computer virus writing clubs have information >exchanges at known email sites, then why can't these sites be traced and >closed down? Can't the law act against them???? > Close them down? Why? how the hell do you think all the av companies can put 50-80 scan strings in their software per update? You think they find them in the wild? Take another guess! Why should av software companies be the only one to trade viruses among themselves? What about the private researcher in these "groups"? The law cannot do crap about people who write and exchange viruses. FireCracker, NuKE ------------------------------ Date: Thu, 27 Oct 94 19:30:57 -0400 From: Marsha.Martin@asu.edu (Marsha K. Martin) Subject: Re: Info on "Kampana"? (PC) So, what's the solution? Is there anti-virus software that will correct problems caused by Campana? It has just started showing up on some of our workstations here? Suggestions greatly appreciated! ????? ------------------------------ Date: Fri, 28 Oct 94 01:39:05 +0000 From: authh@indirect.com (Thomas Homan) Subject: Help Please! Possible B1 infection on system (PC) Howdy all, One of my clients recently was infected with what Scan 117 calls GenP, and F-Prot 213/214 calls B1. This virus was supposedly removed by clean 117. I rescanned the users floppies after I got back to the shop because I olny had scan on site...:( The system that I scanned them on is on a Novell Netware 3.12 server. Now I am losing my capture commands if the system sits idle for 15-20 min. The system scans clean w/ scan 117/F-Prot 214. Yet I am not so sure. The server scans clean also with F-Prot. I guess my question is this: What does the B1 virus do in terms of damage. Would I be better off just to reformat the hd or ? tia - -=tom authh@indirect.com ------------------------------ Date: Thu, 27 Oct 94 22:51:45 -0400 From: Zeppelin@ix.netcom.com (Mr. G) Subject: Re: Thunderbyte anti-virus - how good? (PC) johnnyrock@delphi.com writes: > >I also agree TBAV beats everything else. I've tested Dr. Panda, MSAV, >Norton, F-Prot, ViSpy, and Virx and TBAV blew everything away. It was >written by recreational virus writers. > > And supported by SERIOUS Virus writers :) -Zep- ------------------------------ Date: Thu, 27 Oct 94 22:52:36 -0400 From: Zeppelin@ix.netcom.com (Mr. G) Subject: Re: Looking for Dr. Solomon upgrade (PC) bfbrown@teal.csn.org (Brian Brown) writes: >My company has undergone severe re-organization and even a move >of location. As a result, all of our docs/disks from Dr. Solomon's >(S&S) DOS-based virus utilties are gone. All we have resident is an >11-month-old set of .DRV and .EXE's, which remind us constantly that >they are out of date. I have finally taken it upon myself, having >been burned badly once by Michaelangelo, to find the new versions. > >In its on-line-help, Dr. Solomon's indicates upgrades are available >via a bulletin board. Does such a board or FTP site exist? Can >someone point me in the right direction? > >Email responses to brian@t1sys.com are appreciated, since our >internet firewall is mail-only for the time being, and I have to call >a dialup service provider to read news. Go to OAK.Oakland.edu SimTel/msdos/virus -Zep- ------------------------------ Date: Thu, 27 Oct 94 23:27:44 -0400 From: hatcher@mn.ecn.purdue.edu (Stephen D Hatcher) Subject: Re: Forms Virus (PC) In addition to other's postings, I too have been effected by this virus that seems to attack the Windows 32-bit disk controller device. This is my first virus. I have attempted to remove it using MSAV to no avail. If somone has information on how to safely remove the virus, please either post here or e-mail me with that information. I am greatly appreciative!! Stephen Hatcher hatcher@ecn.purdue.edu ------------------------------ Date: Thu, 27 Oct 94 23:59:23 -0400 From: stegre@delphi.com Subject: NYB / B1 virus: Here's what it does (PC) There have been a number of questions about this virus in this group. It is identified by the latest Mcaffe (v1.17) and by NAV as "NYB"; f-prot (v2.14) identifies it as "B1". I have disassembled it and can provide this report: Like most boot sector viruses, it resides in the boot sector of a floppy and or in the MBR (Partition table) of an infected hard drive. It reduces the amount of of total memory (e.g. as shown by chkdsk) by 1k and "lives" at the top of memory, hooking BIOS INT 13. Once in memory it will infect virtually any diskette read or written to. It only infects when track zero is acessed, which pretty much guarantees infection (the FAT is there) but reduces unnecessary overhead which might degrade system performance. Once in memory, it thwarts attempts at detection ("B1" stealth??) by intercepting any read requests to the boot track and re- directing them to a rarely used sector where a copy of the original boot record was placed at infection time. In the case of a fixed disk, this is absolute sector 17 (cyl/track 0, head 0). For a floppy, it last sector of the root directory. This works; an earlier version of SCANV which had no ID string for it was able to detect it as "Genb" only if the machine was booted from a clean floppy; otherwise it missed it completely. I was, in fact, confused myself when a disk editor showed what appeared to be a perfectly normal boot sector. The "trigger" mechanism is the BIOS timer. The middle two (of four) bytes of the timer are AND'd with 0x178f. If this result is zero (probability = 1/512) it will do its thing (cut to the chase...) It then uses INT 13 to send the floppy drive head repeatedly from track 0 sector 0 to "track 255", "sector 62" (neither of which exist). Since this BIOS function does not do validity checking on these values, it jams the floppy stepping motor to its physical limit over and over, ignoring virtually any error codes that are returned (physically opening the floppy door *will* stop it). Out of curiosity, I intentionally infected (!?!) my "spare" computer with a copy of the virus (which I had "patched" so I wouldn't have to wait around too long for the trigger event). It made a horrendous noise, the likes of which I have never heard from a floppy drive. After gritting my teeth for about 3 cycles of this I stopped it; it was apparently no worse for the wear. The virus can be removed by booting from a clean floppy and running FDISK /MBR. I allowed f-prot to remove it with its "generic" boot sector repair feature, which had the additional advantage of removing it from the MBR of a second (physical) hard disk on the machine; the virus had made quick work of it as well. ------------------------------ Date: Fri, 28 Oct 94 00:40:55 -0400 From: bpb@stimpy.us.itd.umich.edu (Bruce Burrell) Subject: Re: HELP with form virus / FAQ (PC) Christopher Barbay (barbay@dmso.dmso.dtic.dla.mil) wrote: : Iolo Davidson (iolo@mist.demon.co.uk) wrote: : : walts@gate.net "Walter Scrivens" writes: : : > I recently had an infection of the form virus on some : : > workstations on my LAN. We cleaned it, and several weeks later : : > it reappeared (and has been cleaned again) : : You get infected by booting, or trying to boot, from an infected : : floppy. It will keep coming back until you find, and clean, all : : the infected floppies. Especially the one that so-and-so usually : : keeps at home and thinks doesn't count because it only has some : : word processor files on it. Check the "blank" ones too. : You're PC also gets infected when running an infected program. : You don't have to boot to be infected! True enough in general, but FORM doesn't infect files. Hence Iolo's prescription suffices. -BPB ------------------------------ Date: Fri, 28 Oct 94 03:47:52 -0400 From: "Frans Veldman" Subject: Virus writers? (PC) johnnyrock@delphi.com writes: > I also agree TBAV beats everything else. I've tested Dr. Panda, MSAV, > Norton, F-Prot, ViSpy, and Virx and TBAV blew everything away. It was > written by recreational virus writers. Excuse me? TBAV is written by me, but I'm not and have never been a virus writer. I'm in the AV-field since 1989. I tend to agree however with the rest of your message. :-) - -- Thunderbye, Frans Veldman <*** PGP 2.3 public key available on request ***> Frans Veldman Phone (ESaSS) + 31 - 80 787 881 veldman@esass.iaf.nl Fax (ESaSS) + 31 - 80 789 186 2:280/200.0@fidonet Fax (VirLab) + 31 - 59 182 714 ------------------------------ Date: Fri, 28 Oct 94 10:57:03 +0200 From: paul@nuustak.csir.co.za (Paul Ducklin) Subject: KOH re-posting alt.security.pgp (PC) - ----(posted to alt.security.pgp some time back)---- Just been trying out KOH (as posted to alt.security.pgp and, assumedly, as "shipped" at DEFCON). I wanted to get a feel for the intentions of the producer, its mode of dissemination, the usefulness of the "product" and its relationship with the ongoing battle of good vs bad in the {anti-}virus arena. This might seem entirely facile, but I wanted to try to be as objective as I could (whilst bringing my a-v expertise to the party), so as to avoid possible "oh, but you're *bound* to say it's a Bad Thing" arguments down the line. Anyway, I'm pleased to announce my final conclusion: it stinks. Vesselin Bontchev has asked for holes that can be used to shoot the "product" as such down; this is actually unnecessary. My concern over this sort of attack is that it will reopen the debate in the form "OK, so we'll fix the shitty parts of the software", and will use criticisms like "your IDEA implementation sucks" to deflect debate from the viral aspect. It is obvious that KOH is intended to position itself as a cut above other viruses...the docmuentation; the address and contact details; the apparent care that went into the contents of KOH.ZIP. This, in turn, begs the question "OK, so isn't this a beneficial virus?". As soon as you begin to try the stuff (even if you put yourself in the mode of users who think they're actually legitimately installing software), however, the truth leaps out: as ever, the *virality (if that is a real word) is unnecessary*. You can decouple "beneficial" from "virus", and need only observe that KOH is readily conceptually decomposed into two parts: "software which might be beneficial" (the memory-resident crypto) and "a virus". Look at the virus called Stealth_Boot.B, for example, and there is KOH without crypto. KOH doesn't just "utilise virus like techniques"...it *is* Stealth_Boot with a crypto engine tucked in there too. The viral bit of KOH can be judged *separately* from the crypto code, which simplifies the "beneficial virus" debate around KOH a lot. Judgement of the KOH-crypto-module is irrelevant to judgement of the KOH-virus-module, and the fact that the former may be beneficial is irrelevant to the argument about whether viruses may be beneficial or not. Whilst I know that this is all very obvious to a-v-oids, KOH seems to make it pretty obvious to any old user, too. The fact that "auto-migrate" mode is so s-l-o-w and painful (this is the default mode, where any access to an uninfected floppy means that the virus spreads-and-encrypts) that you wish to turn it off at once. Then, to use the crypto features, you need to switch auto-migrate on, DIR a floppy, and switch auto-migrate off. Bingo. You've just shown the user that virality is unnecessary -- a command line utility would actually be easier to use! I leave the rest of the smelly parts of KOH as an exercise to the reader, although I might mention: that strong crypto does not necessitate the automatic migration of the crypto package along with encrypted objects (yet this is the only mode that KOH supports!); that KOH is configured so as to *require* the virus to be utilised to remove itself; that a copy of KOH acquired virally (rather than by the apparently decent KOH.COM program) comes without documentation -- and, interestingly, without the VPROTECT program that appears in KOH.ZIP and which is described as pretty damn important in the manual. Lastly, the inclusion of the Virus Writing Contest advert in the KOH.ZIP file pretty much gives the game away, making KOH's pretence at being a beneficial package (as opposed to "a package which happens to use some beneficial technology smoewhere") somewhat feeble. OK, I know you all thought that up front. But I wanted you to know that I'd reached my conclusions in a bona fide review of the "package", not as the result of what others might allege to be my self-appointed anti-virus-writer crusader status. Yeah, I know this is alt.security.pgp, and I know that y'all are sick of posts about an essentially MS-DOSoid problem. But the virus KOH (Stealth_Boot.D) *was* posted here, so my review is posted here too.. - ----cut here (posted to alt.security.pgp some time back)---- Paul /\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\ \ Paul Ducklin duck@nuustak.csir.co.za / / CSIR Computer Virus Lab + Box 395 + Pretoria + 0001 S Africa \ \/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/ ------------------------------ Date: Fri, 28 Oct 94 07:53:32 -0400 From: ross@minmet.uq.oz.au (Ross Cottrell) Subject: KEEPER.LEMMING virus remover? (PC) Hello All, I've recently come across the KEEPER.LEMMING virus that is detected, but not removed by McAfee's VirusScan Version 2.1.1 with the 17OCT94 DAT files. I'd like to be able to remove it, and I may be able to write a program to do this, but if it's already been done I'd rather not bother. Regards, Ross. ------------------------------ Date: Fri, 28 Oct 94 09:38:54 -0400 From: "David M. Chess" Subject: re: Virus: Leandro and Kelly! GV-MG-BRAZIL (PC) > From: kahall@halcyon.com (Kevin Hall) > We have refound a virus that we are trying to get rid of. The virus > appears to remain dormant until some date and then upon bootup displays: > Leandro and Kelly! GV-MG-BRAZIL > You have this virus since 11-08-94 That virus has just reared its head in Brazil; the code I've seen only displays that message on October 21st (perhaps you have some PCs with the date set wrong?). The following signature can be put in an ADDENDA.LST file in the same directory as VIRSIG.LST, to enable IBMAV to detect the virus. The usual erase/replace function should be able to clean up infected boot records correctly (although infected diskettes will not be bootable after cleanup). 02BB007E8B161E7C8B0E1C7CFEC9CD13BE4B0046BFFC01B9 %s the Leandro %s (Boot records. Scan memory, pause if found.) The virus has no intentionally destructive payload, but as usual it will sometimes mess up infected systems by overlaying user data when it saves away the original boot record. - - -- - David M. Chess | Mah'-ee huv'-erk-raft High Integrity Computing Lab | iz fuhl ov ee'-ulz IBM Watson Research ------------------------------ Date: Sat, 29 Oct 94 19:23:07 -0400 From: datadec@impala.ucr.edu (Kevin Marcus) Subject: Re: KOH is not destructive (PC) AMERICAN EAGLE PUBLICATION INC. <0005847161@mcimail.com> wrote: >This is what KOH uses to ask. And you can buy the source to check it out >if you don't believe me. (By the way, the latest version is 1.02.) Whas there a v1.00? 1.01? If it had no problems in 1.00, why is it 1.02? Why should anyone believe it is better now and won't cause damage? And, while I don't suspect it would happen, just so you know, an interrupt could go off in the middle of your "ask" routine which could quite happily either mess up the stack (you saved the response on the stack), and/or modify registers so the compare is incorrect. Why should someone use KOH instead of, say a non-virus disk encrypting program? - -- - --> Kevin Marcus, Computer Science Dept., University of California, Riverside Email: datadec@cs.ucr.edu. * * * T H I E V E S S U C K * * * * * * T H I E V E S S U C K * * * ------------------------------ Date: Sat, 29 Oct 94 21:15:15 -0400 From: Iolo Davidson Subject: SYSTEM.INI (PC) judgdredd@aol.com "Judgdredd" writes: > I received this message following the Windows 3.1 startup screen: > > "A device file specified in the SYSTEM.INI file is corrupted. > It may be needed to run Windows in 386 enhanced mode. Means just what it says, and no need to assume a virus. Of course it would be much more helpful if the message said which file was causing the problem. > Press a key and the system reboots. I tried rerunning Setup, > I tried overwriting my Windows files from my backup, and I have > retried installing Windows. It might be an add-on driver not part of the Windows install. Printer driver? Sound driver? Look in the [386 Enhanced] section of SYSTEM.INI for filenames preceded by "device=". It will be one of those. - -- IF YOU DISLIKE 'TILL YOU BIG TRAFFIC FINES CAN READ THESE SIGNS SLOW DOWN Burma Shave ------------------------------ Date: Sat, 29 Oct 94 21:16:06 -0400 From: Iolo Davidson Subject: HELP with form virus / FAQ (PC) barbay@dmso.dmso.dtic.dla.mil "Christopher Barbay" writes: > Iolo Davidson (iolo@mist.demon.co.uk) wrote: > > : walts@gate.net "Walter Scrivens" writes: > : > : > I recently had an infection of the form virus on some > : > workstations on my LAN. We cleaned it, and several weeks later > : > it reappeared (and has been cleaned again) > > : You get infected by booting, or trying to boot, from an infected > : floppy. It will keep coming back until you find, and clean, all > : the infected floppies. Especially the one that so-and-so usually > : keeps at home and thinks doesn't count because it only has some > : word processor files on it. Check the "blank" ones too. > > You're PC also gets infected when running an infected program. > You don't have to boot to be infected! Sounds like you are unaware that the virus Walter was asking about is a boot sector virus, not a file virus. Form does not infect programs. - -- IF YOU DISLIKE 'TILL YOU BIG TRAFFIC FINES CAN READ THESE SIGNS SLOW DOWN Burma Shave ------------------------------ Date: Sat, 29 Oct 94 21:16:59 -0400 From: Iolo Davidson Subject: FORM virus Info wanted (PC) paget@gaul.csd.uwo.ca "Michael Paget" writes: > An aquaintance of mine is currently tracking down an infection of the > FORM virus in the computer system of a large corporation. We have > sucsessfully removed it several times, but re-infection continues on an > irregular basis. Someone has an infected floppy disk which you have not checked. It does not have to be a bootable floppy to carry the virus. He might be using it to carry data home and back, and may even have an infected hard disk in his home computer. You may have to bar movements of floppies or laptops in and out of the premises, or institute a ringfence virus check. Alternatively, install a memory-resident scanner in all the computers. Most of these will alarm whenever an infected floppy is put in the machine, and this could be enough both to keep you clean and help you spot the route it is taking when it comes back. - -- IF YOU DISLIKE 'TILL YOU BIG TRAFFIC FINES CAN READ THESE SIGNS SLOW DOWN Burma Shave ------------------------------ Date: Sat, 29 Oct 94 21:30:00 -0400 From: Iolo Davidson Subject: memory scanning (PC) Veldman@esass.iaf.nl "Frans Veldman" writes: > Iolo Davidson writes: > > > clotsche@coh.fgg.EUR.NL "Pim Clotscher @ COH" writes: > > > >> Where can I get objective information about the thunderbyte > >> anti-virus package? There was a review/test in Virus Bulletin of > >> july 1994, but I have no access to that information. Can anybody > >> tell the conclusion / strong points, weak points, etc.? > > > > I expect Richard Ford will be along to summarize the VB test. > > > > In a test in SECURE Computing (I'm technical editor) of *just* > > the ability to find viruses in memory, which is important for > > combating stealth viruses, Thunderbyte came off worst of the ten > > products tested, with a score of 2 out of a possible 24. > > As a 'technical editor' you are acting rather unprofessional. This is libelous and actionable. I have discussed your message with the editor of SECURE Computing, Paul Robinson, who has said two things of substance: 1- SECURE Computing stands by its review. 2- He does not want me to get into a public argument with you. In view of your public attack on my professional reputation, I have refused to accede to his second point. This reply therefore comes from me personally, and not as a representative of SECURE Computing. > It is a good custom to respect a developers' motivation > about the design of his product. In journalism it is the custom to examine issues that the journalist thinks relevant without paying too much attention to the excuses of those being examined. Ten products were reviewed, and only Thunderbyte took the position that memory scanning was not necessary. > You are critisizing my product without mentioning the reasons > behind the result of the test, as outlined by both our British > representative and myself. I'm wondering why Secure Computing > asked our comments on the test anyway, if they don't publish > reasonable comments at all. SECURE Computing did publish comments from many of the vendors whose products were tested, including Thunderbyte. Try looking at pages 38 and 39. You were quoted as saying that the test was "irrelevant" for your product. You were also quoted as claiming that the next version of your product *would* be able to do such tests. The vendor response boxes indicate that when asked if detecting viruses in memory was important, you responded "Yes and No". You also indicated that you have not conducted your own tests of memory scanning (doesn't bode well for the new version that is supposed to offer it). > Since you decided to broadcast this 'half story' even further, I > feel I have to explain the same public why our product performs > so bad in your test. And since you have libeled me, I omit your excuses from this reply in a fit of pique. > To our big surprise, Secure Computing didn't manage to explain > people why it is necessary for a scanner to detect the Jerusalem > virus in memory. Quote from the review- "Out of the ten anti-virus vendors whose products we investigated, at least eight seem to have agreed with us regarding the advisability of looking for Jerusalem in memory before disk scanning." > To our even greater surprise, Secure Computing didn't bother to > publish the reaction of the author of one of the tested products. SECURE Computing are not obliged to publish your excuses for you. Nevertheless, they did publish your comments, as noted above. > Testing products is fine, but one > should at least honour the developers' motivation about the > design of his product and publish it, even if you do not agree > with it personally. SECURE Computing are not obliged to test products to your specifications, nor to publish your excuses for you. Nevertheless, they did publish your comments. I guess you simply did not read the whole review before making this wholly unsubstantiated complaint three times in your post. As for the excuses themselves, I don't agree with them on the basis of my professional judgement, not my personal feelings. Why, for instance, have you designed your product to hang the computer with no message when Fish6 or Frodo are in memory? Surely it would be better to give the user some idea of what is happening? Why doesn't your product find Nomenclatura, one of the most dangerous data corrupting viruses, in either memory or on disk, even though it has been known for years? Why does it fail to find Exebug in memory, when this virus can spoof a clean, power-off floppy boot, making the user think he has clean booted when he has not? This virus is widespread in the wild in South Africa. > But to say, this product is bad, because it just has a > different approach than other products, is very unprofessional. The review merely reported the facts about individual products performance in the tests. The value judgements made about these results in the conclusion were general, and singled out no particular product. However, I agree completely with the conclusion that some of the products tested were woefully lacking. > > Products that scored well were Dr. Solomon's (24) > > Surprise, surprise... Dr. Solomon's is a consistent high scorer in tests conducted by many organisations, including SECURE Computing's rival publication, Virus Bulletin. This should not surprise anyone. The person who conducted the SECURE Computing test is an independant journalist who works for a number of magazines. As many people in here know, I was once employed by Dr. Solomon, and am the author of VirusGuard, but left that company last November. I did not conduct the tests concerned. I did discuss the choice of viruses used in the test with the tester, and suggested the inclusion of Fish6, because it has the unusual property of encrypting itself in memory. - -- IF YOU DISLIKE 'TILL YOU BIG TRAFFIC FINES CAN READ THESE SIGNS SLOW DOWN Burma Shave ------------------------------ Date: Sat, 29 Oct 94 21:31:43 -0400 From: Iolo Davidson Subject: Exebug apparently surviving boot (PC) A.APPLEYARD@fs1.mt.umist.ac.uk "ANTHONY APPLEYARD" writes: > mshmis@world.std.com (MSH MIS) wrote in #85 (Subject: Exebug (PC)):- > > I have recently found Exebug on a number of computers and it > seems difficult to eliminate. Yesterday I booted from a clean > write protected boot diskette which contains Mcafee's latest > anti-virus software. The message on the screen said that traces > of exebug were found in memory. How could this be? > > > "I booted" hereinabove: warm boot (ctrl-alt-del, or RESET > > button) or cold boot (switch the PC off and on)? Some viruses > > can survive warm boot in memory, I suspect, as warm boot is not > > a complete re-zeroing and reinitializing of everything. And some > > viruses can trap ctrl-alt-del and fake a warm boot. In finding > > and removing viruses, always COLD boot. But Exebug can spoof a cold boot. It forces the computer to start booting from the hard disk even though you think it it booting from the floppy. Once it has loaded and run the partition sector (MBR), getting the virus into memory and active, then it continues the boot from the floppy so you are none the wiser. For this reason, anti-virus scanners have to be able to detect Exebug in memory. - -- IF YOU DISLIKE 'TILL YOU BIG TRAFFIC FINES CAN READ THESE SIGNS SLOW DOWN Burma Shave ------------------------------ Date: Sat, 29 Oct 94 21:31:40 -0400 From: Iolo Davidson Subject: Help IRISH virus on CD (PC) asx008@coventry.ac.uk "V. Tandy" writes: > Does anyone know what IRISH does, is it real and a serious threat > or has the virus check software been fooled? McAfee used to call Maltese Amoeba "Irish", dunno if they still do. If it is Maltese Amoeba, then it trashes the hard disk on March 15th and November 1 (the ides of March and the calends of November). I doubt this message will get to you in time on comp.virus, so I'm also emailing it. > No damage seems to have been done ...(yet)!! As it's on a CD, I expect to hear of a lot of damage in a few days. - -- IF YOU DISLIKE 'TILL YOU BIG TRAFFIC FINES CAN READ THESE SIGNS SLOW DOWN Burma Shave ------------------------------ Date: Sun, 30 Oct 94 05:51:33 -0500 From: Iolo Davidson Subject: MtE virus (PC) charlesb@bedford.progress.COM "Charley Boudreau" writes: > Can anyone give me any info on the MtE virus. I was infected with > it yesterday. InocuLAN cleaned it up nicely, but I'd like to know > what damage it was trying to do and any technical info on it. There are a number of viruses in existence encrypted with the MTE engine. If your anti-virus only reports the encryption "wrapper" and not which virus is inside, then there is no way to answer your question from here. - -- HENRY THE EIGHTH BUT KEPT PRINCE OF FRISKERS HIS WHISKERS LOST FIVE WIVES Burma Shave ------------------------------ Date: Sun, 30 Oct 94 05:51:29 -0500 From: Iolo Davidson Subject: The truth about the CD-ROM (PC) 0005847161@mcimail.com "AMERICAN EAGLE PUBLICATION INC." writes: > Iolo Davidson writes: > > Most such responsible people consider it wrong to help create > > a market in viruses or contribute to any financial or other > > incentive for their writing and distribution. > > If I were a customer, I'd demand my A-V pay attention. However > you can probably leave that to several magazine publishers who've > bought the CD for testing when they review products. If you, by > censorship, make the CD into something that only virus writers or > lawbreakers can get, then it will probably encourage virus > writing, yes. Refusing to buy your virus collection is not censorship. I am interested in your revelation that you would continue to sell it to lawbreakers if it were legally censored, though. It probably is illegal to sell it in Britain. Certainly one person who tried a similar get-rich-quick scheme here was arrested. I think the charges were dropped, but he hasn't tried it again. I prefer not to see the law get into this issue, but it looks inevitable that it will, in the USA as well, as there are always a few people who will not behave responsibly. > If you would work with me to get it into the hands of people who > legitimately need it, I suspect it would help to solve problems > instead of creating them. Just like a gun. Give it to good cops > or good citizens and it helps. Give it to bad cops, or to > criminals, and it hurts. Give? I understood that you were selling the CD. The objection I stated above was that responsible anti-virus people did not want to see a market created for viruses, ie buying and selling. You need no help from anyone to send a free copy to all the anti-virus researchers if you think that would "help to solve problems". The "problems" are of course much exacerbated by you selling the collection to all comers, good and bad alike. > Let's stop the rhetoric about creating incentive to write > viruses, though. I think I shall continue to post my thoughts on the subject. Who is trying to suppress the free flow of information now? > Now, I really believe that an open exchange of information > contributes to the solution of the problem, so I am trying to > make that information freely available. Freely? I was certain that you were charging for it. Not that I wish to see the viruses themselves "freely" distributed, or even distributed at a handsome markup. We aren't talking about the freedom of information here, but the actual malicious programs themselves. > If my work is attacked, perverted or misused, though, > it's really hard for me to see it as being somehow my fault, You are selling nastiness to anyone who wants to buy. I blame you for what you do. - -- HENRY THE EIGHTH BUT KEPT PRINCE OF FRISKERS HIS WHISKERS LOST FIVE WIVES Burma Shave ------------------------------ Date: Sun, 30 Oct 94 05:51:31 -0500 From: Iolo Davidson Subject: KOH is not destructive (PC) 0005847161@mcimail.com "AMERICAN EAGLE PUBLICATION INC." writes: > >I said No. It installed anyway. Then it trashed a floppy without asking > >permission. Not nice.. > > Ian, what you had must not be KOH. Obviously we cannot control what is > not shipped out of our office, and whatever you got, it didn't come from > us. This is rich. You ship a virus, which reproduces itself, then claim that only the copies that you ship out are your responsibility. > If anyone really does have a problem with KOH, please call, write, > or e-mail and we'll get the problem resolved. How do you withdraw the buggy versions, and replace them with bug-fixed ones, when they reproduce by themselves? > Posting a problem to a public forum without ever > trying to get it resolved with the vendor is malicious. Haw! Haw! Haw! Haw! Haw! Haw! Haw! Haw! Haw! Haw! Haw! Haw! > Secondly, please don't spread lies and disinformation unless you're > prepared to have the same done to you. This is a straightforward threat, and would be actionable in my country. Your problem is not lies, but the fact that the truth is so damaging. The neighbourhood is really going downhill. - -- HENRY THE EIGHTH BUT KEPT PRINCE OF FRISKERS HIS WHISKERS LOST FIVE WIVES Burma Shave ------------------------------ Date: Mon, 31 Oct 94 00:30:27 -0500 From: Peter Owen Subject: Strange messages from Winword (PC) I was called in to investigate the presence of a strange message that appeared at the top of a Winword printout. On examination of the source file in question, there was no text corresponding to the offending text. Nothing in the main body of text, or in the header. The offending text is: "When you use the Gopher, your computer isn't actually doing anything at all. Instead, these demons have mesmerized you with an evil magical spell, which was invoked by the pattern of finger-movements peculiar to the typing of the letters G-O-P-H-E-R on your keyboard. This spell transmits demonic information directly to your brain." Has anybody seen anything like this. ------------------------------ Date: Mon, 31 Oct 94 00:45:47 -0500 From: Simon_Li@Douglas.BC.CA Subject: Virus named Jack Ripper (PC) Recently my colleagues came back from Hungary and brought back (accidentally) a virus called Jack Ripper. I don't think NAV can catch this virus. Once a computer is infected, the drive C is gone. Anyone has any suggestions how to deal with this virus? Also, what is the latest version of NAV's virus definition file? Thanks Simon ------------------------------ Date: Mon, 31 Oct 94 07:58:29 -0500 From: langen@pols.ucl.ac.be (LANGEN Gabriel) Subject: israeli boot and McAfee VSCAN117 and CLEAN117 (PC) I have tried McAfee Vscan117. The program give me an Israeli boot virus. I tried clean117 with the Iboot parameter and clean does nothing. Can anybody help me? Is there a false alert for Israeli boot or a problem in the clean program? Thanks LANGEN Gabriel langen@pols.ucl.ac.be ------------------------------ Date: Mon, 31 Oct 94 09:03:27 -0500 From: Pierre.Berbigier@vbo.mts Subject: Virus desactivation or cleaning (PC) When I encounter an infected PC, I have 3 concerns 1/ Desactivate the virus 2/ Identify how far the infection spread 3/ Try and figure out what permanent harm has been done 1/ desactivate the virus: I intentionnaly do not use the term 'clean' My goal is to prevent further infection to other files or diskettes or PCs. Many AV products propose disinfection, and combined with standard DOS utilities like SYS, FDISK... this is generally not too difficult. In some cases your only choice is to restore infected files from backup or distribution media. 2/ Identify how many diskettes may have been infected and to whom they have been distributed in order to inform them of the potential risk. Try and identify the source of the infection, not to be hit again later and to prevent others to become infected. This is not always an easy task, but with appropriate communication channels and awareness campaign, you might succeed 3/ It's now time to try and restore the PC to the state it was before infection To do that, you have the following choices: restore from a full backup (if you have one), this may be painful, use the results of an integrity checker on the whole disk, You generally don't have the necessary to do a complete job, or use a virus dictionnary to do selective restore of what might have been corrupted: here is the problem: there is no complete virus dictionnary that will describe correctly the payload of viruses. Antivirus researchers don't seem to be interested in publishing virus catalogs while they all complain about Patricia Hoffman's dictionnary: However, knowing that you've been hit by Form.A that is often harmless and can be cleaned or by Jack the Ripper which swap bytes in the write buffer every ~1000 write is very usefull for the end-user: In the latter case, you cannot clean, you can only prevent further infection. As an end-user, I need to know summary infection method : boot(MBR or DBS) parasitic (which files), multipartite, whether the virus is memory resident, which scanner/version detects this virus, in order to deactivate it. I'm not interested in knowing which interrupt vector it hooks, as long as I know it is memory resident and infects such files/media. But I need to know how much destructive it is and what might have been corrupted. Dear virus researcher, Please, provide us with such tools !!! - -- Digital Equipment Pierre Berbigier (European Security) Pierre.Berbigier@vbo.mts.dec.com ------------------------------ Date: Mon, 31 Oct 94 09:04:19 -0500 From: marc@sisyphus.cl-ki.uni-osnabrueck.de (Marc Ronthaler) Subject: KAOS4 (PC) hello! does anybody know what the KAOS4 virus does to a computer ? is it harmfull ? i only know that it infects EXEs and COMs. but what happens when it's getting active ?? thanks for any information - -- marc - ------------------------------------------------------------------------------- Marc Ronthaler University of Osnabrueck Institute for Semantic Information Processing 49069 Osnabrueck Germany - ------------------------------------------------------------------------------- e-mail : marc@hal.cl-ki.uni-osnabrueck.de : mronthal@dosuni1.rz.uni-osnabrueck.de WWW Homepage: http://hal.cl-ki.uni-osnabrueck.de/ - ------------------------------------------------------------------------------- ------------------------------ Date: Mon, 31 Oct 94 11:03:49 -0500 From: clotsche@coh.fgg.EUR.NL (P. CLOTSCHER @ COH) Subject: Re: re:JUNKIE VIRUS (PC) slota@rtsg.mot.com (Dave Slota) writes: >I have removed the Junkie virus with NAV 3.0 and the lastest patch. >Both Mcafee 117 & scan 2.1.0 found it but could not clean it. It did >do a lot of damage to my windows files. Experts, Where can I find info about Junkie? I tried F-Prot 2.14 (it can detect & remove Junkie) and P.Hoffman's VSUM 94-09. Both negative. We had one infected floppy here that probably got infected in a public printservice shop here in Rotterdam (as far as we could trace back). Thanks and regards, Pim Clotscher Erasmus University Rotterdam - NL I&A - Computer Support Hoboken Tel. +31-104087420 / Fax +31-104362719 E-mail (Internet): clotscher@coh.fgg.eur.nl ------------------------------ Date: Mon, 31 Oct 94 12:15:55 -0500 From: jmccarty@spd.dsccc.com (Mike McCarty) Subject: Re: Rebuilding Partition Table? (PC) Kevin Kenney wrote: )Since partition-table affecting viruses are becomming more common, and since )anyone hit by a new one won't want to wait for scanners to be updated, I'm )looking on how to rebuild a partition table, hopefully without trashing )the disk's formatting. What tools would be needed, and do they exist, )including in a commercial package? (What can access a C: drive the BIOS )can't find?) I'd be willing to write such a generic tool, if pointed )in the right direction. KpK ) Norton's Diskedit can do what you want. You have to open the disc as a physical, not logical, disc. You can pretty easily rebuild the partition table using it. The BIOS has no problem accessing the disc. It's DOS which cannot. It expects to find logical drives with file systems installed. Without a valid partition table, it is impossible to find logical discs. Mike - ---- char *p="char *p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);} ------------------------------ Date: Mon, 31 Oct 94 12:38:40 -0500 From: ccheney@crl.com (Carl Cheney) Subject: Re: NYB [Gen B] virus detected. (PC) >From circumstantial evidence we think that a brand new computer from a well known mail-order PC vendor was pre-infected with NYB. Everything in the appended message appears to be correct; running FDISK /MBR made it disappear as far as the latest McAfee SCAN program is concerned. It appeared to us that the symptoms were that the computer would usually crash around 8AM. (Every morning as I arrived at work, I would lay my hands on the offending machine and it would sin no more--or at least not until the following morning.) Aside from occasional corrupted files due to dBASE files and indices not being updated correctly when the crash interrupted processing, NYB seems to have not done any other damage. (Of course my client regrets the several thousand dollars of lost productivity while her workers stood around discussing this flaky machine so this situation isn't as benign as it might sound.) Does anyone else know anything more about NYB? I'm regretting not having saved a copy of the Master Boot Record; I'm no assembler hacker but it might have been fun to try to puzzle it out. : Another division of my organization contacted me, to say they : thought they had a virus on about 25 stand alone pc's. I furnished them : with McAfee Scan v.117 and it detected the NYB [Gen B] virus resident in : memory. I understand that the clean-up program is supposed to repair : this, but they are asking what data they will loose in the process. : According to documents supplied by McAfee, the virus installs : itself in memory, and infects floppy and fixed disk boot sector. Is : there other things we should take into account? Any help would be : appreciated. ------------------------------ Date: Mon, 31 Oct 94 12:43:44 -0500 From: rodrigde@cat.cce.usp.br (Derneval R R da Cunha) Subject: Freddy virus again (PC) I posted some time ago an article regarding the detection of the Freddy virus by the scan 2.0.2. Well, now this same virus reached a friend of mine. Detail: his hard drive was infected with the athen virus, which I cleaned easily using clean.exe v. 117. After the cleaning process, the guy asked me to run NAV. Don't know what was the difference. I know that the message saying that the program had been changed was there, so i came back to what i was doing, and ...Shit happens!!! The scan showed the same message. Okay, I booted from the clean virus floppy disk and executed the scan from there. The same files showed up infection with the "FREDDY" virus. Better, from 248 previously infected with the Athen virus, about 220 something were hit by this virus. Even a floppy disk i put in the drive b: was infected (both files, one already infected with Athens -for research only) showed signs of infection, after only a dir and ren command in drive a:. I mean by the story above that this virus is really what I mean "fast infector". THis is fast... I wanna know is: Is there a way to kick it out without killing all files? The poor guy has no backups and bought the computer with the programs. His work is safe,but his programs not. Did anyone a program against it. I got scared man, after that. Really. Could happen to me. Any help will be apreciated. Sig. Derneval - -- +-------------------------------------------------------------------------+ | I log in, therefore I am. Reality is for people without Internet access.| | Eu acesso, logo existo. Realidade e' para aqueles sem conta na Internet.| | Internet: rodrigde@cat.cce.usp.br | | wu100@fim.uni-erlangen.de | +-------------------------------------------------------------------------+ ------------------------------ Date: Mon, 31 Oct 94 13:41:45 -0500 From: ANTHONY APPLEYARD Subject: Windows CLEAN? (PC) In Mcafee Viruscan, I have found a DOS SCAN, and a DOS CLEAN, and a Windows SCAN, but where on earth is the Windows CLEAN???? ------------------------------ Date: Mon, 31 Oct 94 14:30:20 -0500 From: tailored@netcom.com (Steve Midgley) Subject: Re: DOOM II (PC) I'm not going to say that doom ii is a 'bad' program, but it doesn't INHERENTLY have any more to do with viruses than Word Perfect 6.0. It's just a game. Steve Midgley Technical Services Tailored Solutions. ** my opinions, not the company's ** ------------------------------ Date: Mon, 31 Oct 94 14:32:53 -0500 From: jmccarty@spd.dsccc.com (Mike McCarty) Subject: Re: Removing boot sector virus from B: (CANSU/V-sign) (PC) Russell Owsianski wrote: )Hi all, recently, I found a boot sector virus on a 3.5" floppy. Scan211e )calls it CANSU, fp214 calls it V-sign. Neither scan211e /clean nor )clean117 can remove it. :( ) )I never executed anything from that disk, and the scanners say that the )hard drive is still clean. ) )First question: What can I use to get rid of the virus on the floppy? )(hopefully without losing the data on the floppy)? There are a couple of things you can do. You can try to find the original boot record on the floppy. This may be pretty easy or pretty difficult depending on how computer literate you are. If you find the original boot record, just copy it over the first sector on the disc, and you're done. If you're not this computer literate, then here's another: copy all files onto another floppy using the copy *.* command. Do not use diskcopy. Then format the infected floppy. Then copy the files back. This assumes that none of the files on the floppy is a "dropper", i.e. a program which installs the virus. )Second question: What would it take to activate this virus, or cause it to )infect the hard drive? Getting a 'dir' of the floppy? Copying files? Booting is probably pretty much it. I am not specifically familiar with CANSU, but most boot sector infectors require booting off of an infected floppy to infect. Doing a DIR command -cannot- infect you. Copying files -may- infect you if: the file you copy is executable (.SYS, .EXE, .COM, etc.) the file you copy is infected with a virus or is a dropper you run the infected executable (or dropper) )Thanks very much for any help. You're very welcome. Mike - ---- char *p="char *p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);} ------------------------------ End of VIRUS-L Digest [Volume 7 Issue 91] *****************************************