VIRUS-L Digest Tuesday, 15 Nov 1994 Volume 7 : Issue 93 Today's Topics: Re: Distribution of Viruses Re: Netcom distributing Viruses Re: Common Virus Sources unix virus scanner (UNIX) Mainframe Viruses? (IBM VM/CMS/etc) Re: Can a master boot record be repaired? (PC) Re: Need Help with Stoned Virus (PC) Money on our back (PC) Where is the new version of FSHIELD? (PC) Re: tbav625/tbavx625 - Thunderbyte anti-virus v6.25 (Complete/Optimized) (PC) F-Prot bug with Gravis Ultrasound Windows Drivers (PC) Re: Anti-CMOS Virus Infection - HELP! (PC) Outbreak of Junki (PC) Any1 who have info of the junkie virus (PC) Virus infection - new virus? (PC) Re: F-prot freezes system. (PC) HELP: Form virus attacks Windows NT NTFS boot sector. (PC) Telecom virus (PC) Re: DOOM II (PC) NAV 3.0 updates ? (PC) Re: Monkey Virus is on our backs... (PC) Re: Forms Virus (PC) Re: Virus named Jack Ripper (PC) Re: memory scanning (PC) Re: Looking for Dr. Solomon upgrade (PC) Re: Exebug apparently surviving boot (PC) Re: Virus writers? (PC) contracting monkey/boot sector virus (PC) joke named Perv -Virus?? (PC) Help! Filler, GenB, GenP viruses (PC) GenB virus alert (PC) Re: DOOM II (PC) Re: Virus desactivation or cleaning (PC) Re: Exebug apparently surviving boot (PC) Re: DOOM II (PC) Re: Alphastriker?!!? - HELP (PC) Re: Help needed with PINWORM (PC) Re: MtE virus (PC) Can a virus spread like this? (PC) Re: stoned - Monkey (PC) Unzipping invb601.zip (PC) Re: The InVircivle Anti-Virus Expert System v6.01 (PC) Re: VCL?? (PC) Re: Removing boot sector virus from B: (CANSU/V-sign) (PC) Virus Info via Winhelp (PC) File listing for risc.ua.edu VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CORSA.UCR.EDU (IP number 138.23.166.133) or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CORSA.UCR.EDU. Administrative mail (e.g., comments, suggestions, beer recipes) should be sent to me at: krvw@ASSIST.MIL. All submissions should be sent to: VIRUS-L@Lehigh.edu. Ken van Wyk ---------------------------------------------------------------------- Date: Wed, 02 Nov 94 14:19:33 -0500 From: jmccarty@spd.dsccc.com (Mike McCarty) Subject: Re: Distribution of Viruses Van Deun Dirk wrote: [stuff deleted about virus writing being "different"] )It is. Writing a virus is a kind of test of your knowledge of the )operating system, of the arcana of your computer. But I believe that )the people who consider writing virusses an intellectual challenge and )the people who spread virusses are not (always) the same. After all, most )virusses seem to be programmed as slight variations on other ones, not )from scratch, as a real 'hacker' (in the nice sense of the word) would )do. If programming languages came packed with 'virus libraries', )functions to make virus programming easy, like there are TSR libraries, )the first group would loose interest -- their knowledge is no longer )arcane. I do not know about the second group however: they seem to be )happy if there is a virus around that a) writes their nom-de-plume in )all bootsectors b) carries their political message c) destroys stuff in )their name. Well, I don't think writing viruses is really different. But then, I've been doing operating systems for about ten years now, so perhaps I have had my viewpoint altered by that. It is true that viruses often exploit arcane or unintentional features of operating systems. I also am something of a hacker, in the good sense. I also think you have a point in there being two different kinds of virus writers (at least). And supplying libraries or whatever will not deter what I would call 'vandals'. But neither will banning spray paint prevent people from putting grafitti everywhere. My point in reference to the first group is, they can have their curiosity satisfied and go on to other things, or even get really interested in software and make some real productive programs. With reference to the second group, the only thing one can do is try to catch them and make it very uncomfortable for them to discourage others from following in their wake. Those who want to get a virus to hack up and put their marks on someone else' disc can certainly get one. I got one when I wasn't trying to get one. It infected me against my will. Most of the reason for the existence of this group seems to be recovery from infection and defense against getting a virus when one doesn't want it. So it is easy to get viruses w/o wanting one. How difficult can it be to get one when one is trying? So I think that it is hopeless to try to defeat the second group of just pure vandals by tring to keep viruses out of their hands. Mike - ---- char *p="char *p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);} ------------------------------ Date: Thu, 03 Nov 94 12:54:50 -0500 From: "R. Wallace Hale" Subject: Re: Netcom distributing Viruses On Wed, 26 Oct 1994 09:31:24 -0400 "The Radio Gnome" wrote: >>Come on, people! Netcom isn't infecting your computers. > > No, but potentially abusive Netcom subscribers can write >new viruses that will. Don't know what Netcom is or is not doing and have neither time nor interest to check. Haven't yet seen Joe Wells' WILDList approach the 6,000+ viruses Vesselin states are in existence. Any reasonably competent programmer could create a virus without much effort, even if the only available tool was DEBUG. Thankfully, very few do. Suspect it may be due to a combination of ethics and having more productive things to do with their time. > OK, I'll try a new tack... how would you feel if Netcom made >all the long distance touch tone diagnostic, technician and 'coin drop' >codes available? > > The phone providers have enough trouble with phreakers as is, why >make it more difficult for them by spreading knowledge that may be >interesting, but potentially dangerous? Much knowledge can be dangerous; depends on who has it and how it's used. Applies to common household type chemicals, over-the-counter pharmaceuticals, and Turbo Assembler. :) R. Wallace Hale halew@nbnet.nb.ca Mihi ego video, mihi ego sapio. ------------------------------ Date: Sat, 05 Nov 94 12:01:44 -0500 From: Zeppelin@ix.netcom.com (Mr. G) Subject: Re: Common Virus Sources kief@utk.edu (Kief Morris) writes: > >drmaier@wam.umd.edu (Louis Maier) says: > >>I'm trying to find out what the most common sources of >>infection are for typical PC based users/organizations (i.e. >>BBS's, shrink-wrapped products, internet, network >>technicians updating/diagnosing machine with infected >>disks,etc.) > The funny thing about this question is, you named ALL the most popular ways of infection. Lets start with #1 and go down the list. 1.) BBS's Depending on what you call out for, the chances vary. I have recently DL'd a Western Digital Driver update that took apart Win 3.11. It "Zeroed," out GDI.exe and remaned several files (ie: Win.ini ,System.ini), and removed several drivers. Also, Several cracks (nagg removers) are on the boards which offer the user the ability to bypass the "Please Register," some programs have. These cracks do not register the program, jsut de-bug the start. I recently also got hit by an update to my registered version of "Dashboard, HP." It went through the system within Win 3.11, and opened a dos window, and then deleted Command.com, and all Norton Commando files. It also deleted all files stated within my Config.sys file. 2.) Shrink Wrapped Local fuss has hit the Egghead stores about the employes taking home programs, installing them, Then re-shrink wrapping them. This is not just confined to that chain (don't sue me), but is a wide bassed problem. Then you can look at the Telemate 4.0 shrink Wrap release that came out last year with the Butterfly Virus within it. It was the reason that the virus spread so fast. 3.) Updating. You can solve this problem, by having a file, disk program active in mem (TSR) such as the ones offered by TBAV. TBDISK and TBFILE are both very watchfull. Also Invirusable (SP) is the latest craze. I am now using it along with TBAV. I reall like it, and it can be found at Oak.oakland.edu in the SimTel/msdos/virus area. These are all I wish to talk about because they are the 3 major reasons for infection. -Zep- ------------------------------ Date: Wed, 02 Nov 94 10:50:00 -0500 From: griffith@egr.msu.edu (Terry Griffith) Subject: unix virus scanner (UNIX) Hi, I'm looking for a virus scanner for unix (Solaris and HPUX) I'm looking for both freeware and retail products.... any help you can give me would be great! thanks Terry ------------------------------ Date: Fri, 04 Nov 94 01:51:05 -0500 From: MVillegas Subject: Mainframe Viruses? (IBM VM/CMS/etc) Has anyone heard of an IBM mainframe virus? Do or have they existed? ------------------------------ Date: Wed, 02 Nov 94 14:37:54 -0500 From: jmccarty@spd.dsccc.com (Mike McCarty) Subject: Re: Can a master boot record be repaired? (PC) wrote: )Mike McCarty writes: ) )>I suppose an ANSI bomb could run debug and actually type in the whole )>virus creating a program in memory or on disc and then run it for you. ) )I've seen this done. PKZIP has an option for creating an ANSI file that )will be displayed when the file is dezipped. It is often used for file )lists and titles but can execute an ANSI bomb. When the unsuspecting file )is unzipped the code is loaded either directly or into the function keys. But did the redefined key run debug to create a virus program? I know that ANSI bombs exist, and have also heard of (but not experienced) them being put in the PKZIP banner. But I have never heard of an ANSI bomb which caused a virus to be created. Mike - ---- char *p="char *p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);} ------------------------------ Date: Wed, 02 Nov 94 14:41:34 -0500 From: jmccarty@spd.dsccc.com (Mike McCarty) Subject: Re: Need Help with Stoned Virus (PC) wrote: [quoted stuff removed] )You hit that on one the head. He should use the McAfee (or similar) 'CLEAN' )program. Stoned it very easy to remove with it. Be sure to 'clean' EVERY )bootable floppy you've got. ) )- -Enniaun ) enniaun@delphi.com 71327,3333@compuserve.com Um, Stoned infects non-bootable floppies, also. ALL floppies need to be checked. Mike - ---- char *p="char *p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);} ------------------------------ Date: Wed, 02 Nov 94 16:12:15 -0500 From: sromeo@viagene.com (Steve Romeo) Subject: Money on our back (PC) I have a concern about Monkey. We found that it had infected quite a few of our hard drives, and after removing the virus and using fdisk we still have problems with the drives not functioning properly (unable to format the disk) any suggestions? - -- Steve Romeo Information Systems Administrator Viagene, Inc. ------------------------------ Date: Wed, 02 Nov 94 19:49:12 -0500 From: mikael@vhc.se (Mikael Larsson) Subject: Where is the new version of FSHIELD? (PC) Wen-Nung Tsai wrote in a message to All: WT> Hello there, Hello! WT> In the past years, I always used FSHIELD to protect WT> important files. I found the files shield by FSHIELD can WT> not RUN under DOS 6.22 Could somebody out there tell me WT> where to get a new FSHIELD? Thanks in advance. I believe FSHIELD is no longer in production, but to be 100% certain about that, mail to support@mcafee.com and ask them MiL, mikael@vhc.se Virus Help Centre - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Virus Help Centre Phone : +46-26 275740 Internet: mikael@vhc.se Box 244 Fax : +46-26 275720 Minicall: 0746-393334 S-811 23 Sandviken BBS #1: +46-26 275710 FidoNet : 2:205/204, 2:205/234 Sweden BBS #2: +46-26 275715 Auth. McAfee Associates Agent - - send mail to pgpmil@vhc.se for automated reply with my public pgp key - ------------------------------ Date: Wed, 02 Nov 94 20:32:11 -0500 From: c9419008@alinga.newcastle.edu.au (Edmund Lai) Subject: Re: tbav625/tbavx625 - Thunderbyte anti-virus v6.25 (Complete/Optimized) (PC) Piet de Bondt (bondt@dutiws.TWI.TUDelft.NL) wrote: : I have uploaded to SimTel, the Coast to Coast Software Repository (tm), : (available by anonymous ftp from the primary mirror site OAK.Oakland.Edu : and its mirrors): : SimTel/msdos/virus/ : tbav625.zip Thunderbyte anti-virus pgm (complete) v6.25 : tbavx625.zip TBAV anti-virus - processor optimized versions I saw version 6.26 instead of 6.25. What happened to 6.25? : The Thunderbyte Anti-Virus utilities are ShareWare. There are four : security modules (TbScan, TbScanX, TbClean, TbMon) included. This : modules are programmed in assembler and there for very fast! TbScan is : a signature, heuristic and CRC scanner. It detects known, unknown and : future viruses. TbScanX is the resident version of TbScan. TbClean is : the first heuristic cleaner in the world. Even an infected file with : an unknown virus can be cleaned. TbMon consists of three resident : programs (TbMem, TbFile, TbDisk) which monitors your system against : unknown viruses. From version 6.22 a complete Windows version is : available. Note that for Windows you need both the Windows and the : DOS files! ------------------------------ Date: Wed, 02 Nov 94 22:42:14 -0500 From: gpinzone@ic.sunysb.edu (King of All Tech Support) Subject: F-Prot bug with Gravis Ultrasound Windows Drivers (PC) I found a small problem with using F-Prot Professional's windows VIRSTOP message program with a Gravis Ultrasound sound card (GUS). Any wav sound come only from the left channel and a beep comes from the right. MIDI is fine. ------------------------------ Date: Wed, 02 Nov 94 22:44:03 -0500 From: engp3002@leonis.nus.sg (Wu Hu) Subject: Re: Anti-CMOS Virus Infection - HELP! (PC) Ulrich Pinkernell (pinkeru@uni-muenster.de) wrote: > I had the same problem. Also the latest version of F-PROT found this virus > but did not remove it directly, but there was the option to overwrite the > Master Boot Record (MBR). Try VDS shareware rewrite MBR. Wu ------------------------------ Date: Wed, 02 Nov 94 22:52:34 -0500 From: 925741@brt.deakin.edu.au Subject: Outbreak of Junki (PC) Greetings, We just had an outbreak of the Junki virus, which was detected by both F-Prot and Dr Solomons but not Thunderbyte. All the software was current so we are at a loss to understand why it was skipped over. Just thought I'd let you know. ------------------------------ Date: Thu, 03 Nov 94 08:48:35 +0000 From: pi92ae@yngve.pt.hk-r.se (Andy Eskilsson (Flognat)) Subject: Any1 who have info of the junkie virus (PC) We have just discovered the junkie virus here at school, but we have no info about it, Are there any1 out there with some more knowledge that they would like to share? What viruskillers/detectors do you receommend, to get rid the virus? /andy - -- Don't walk in front of me, I might be unable to follow you. Don't walk after me, I might be unable to lead you. Just walk by my side and be my friend. ------------------------------ Date: Thu, 03 Nov 94 07:07:09 -0500 From: "Robert L. Lee" Subject: Virus infection - new virus? (PC) We have been infected today by a virus called the NEW VIRUS. could you please provide me with information about the NEW VIRUS and what it can do to our systems? Thanks Bob Lee ------------------------------ Date: Thu, 03 Nov 94 09:22:24 -0500 From: mrobinsn@mercury.interpath.net (Elston Gunn) Subject: Re: F-prot freezes system. (PC) Joshua Proschan (0004839378@mcimail.com) wrote: : I encountered a strange problem with f-prot 2.14: : : When I first got it, it worked without problems. Then : Now when I try to run f-prot it freezes the system, either : without starting (3 times), or after the blue screen appears : but before starting the check of memory (twice), or when : starting to check the boot sector on D: I have a similar problem, but mine is caused by F-Prot's VIRSTOP 2.14. I have sent Frisk a couple of letters on this, but so far no response. In my case, the system lock-up occurs after a successful boot and installation of VIRSTOP from config.sys, but only after I try to run various exe or com files (Procomm Plus is one such). No problem occurs with VIRSTOP 2.13, nor did any problem occur with previous versions of VIRSTOP. I have gone back to 2.13, even if the "old" and out of date message appears. I only hope that v.2.15 will locate and fix the bug. ------------------------------ Date: Thu, 03 Nov 94 10:40:03 -0500 From: tito@ciunix.uc.pt (Paulo Jorge Pimenta Marques) Subject: HELP: Form virus attacks Windows NT NTFS boot sector. (PC) The form virus usually attacks ms-dos disks in the boot sector. It appears to cause no harmful effects in ms-dos other than reproduce itself whenever an infected disk is booted. I hear that on certain days it attacks in more harmful ways, but I never experienced it. Under Windows NT, however, its effects are disastrous. I don't think the form virus could attack from within Windows NT itself, since the system is so robust, not allowing programs to mess up with the system. If, however, you boot up a PC with an infected floppy disk, the form virus attacks every partition it finds, not caring whether it is, FAT, HPFS or NTFS. Since the form virus was designed for FAT partitions, - being careful not to make itself noticed -, when it attacks some other type of partition, such as NTFS, it causes unpredictable results. In my case, I found out it renders the disk unbootable, and even if we configure that disk as a slave, and install NT in another disk, NT doesn't recognize the existence of any partition in the infected disk. It report a RAW partition. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! My question is: Does anyone know a way of restoring my original boot sector? Are there any antivirus programs for Windows NT? !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! No need to say I had critical data in that disk. Otherwhise I would just format it. I welcome any comments to my e-mail address: Malaquias@gemini.ci.uc.pt Thanks for your time, Jose Luis Malaquias ------------------------------ Date: Thu, 03 Nov 94 19:24:09 +0000 From: dnorman@av8r.dwc.edu (The Packetman) Subject: Telecom virus (PC) My friend is currently wrestling with the Telecom virus(maybe). While formatting his hard drive, the computer tells him that there is a possible virus. After continuing with the format, we ran f-prot and it returned saying that the telecom virus was present in memory. We then performed a clean boot and ran f-prot again. This time f-prot said the computer was clean. Just to make sure he tried to format the drive again, but the same virus message appeared. We have gone through the cycle of running f-prot and numerous other anti-virus programs but the virus hasn't showed up except for the first time, although the "possible VIRUS" message always appears when he tries to format the drive. Could anyone who has any ideas or knowledge about the Telecom virus please help us. Thanks. ------------------------------ Date: Thu, 03 Nov 94 21:31:07 -0500 From: dolson@shore.net (Don Olson) Subject: Re: DOOM II (PC) Bert.Martin@UAlberta.CA (Bert Martin) wrote: > I have a 486 with 46 corrupt files, mostly WINDOWS files. > Many more must be corrupt as the system hangs on most DOS commands. > F-PROT 2.14 detected nothing(except the corrupt files) from a clean boot. > VIRUSCAN 9.24 v116 found nothing. > CPAV hung on a file with sector not found. > DOOM II was found on this machine. > Could this be just a coincidence? > Has anyone found an actual virus directly related to DOOM II or > if DOOM II is the culprit, is it simply a BAD program? > There is an infected version of the pirated version of DooM2 that was uploaded to a few sites, as I understand it. From a.g.d: Todd Munk (tmunk@sdcc10.ucsd.edu) wrote: : I recently got the new F-PROT virus protection software. Include : in the variety of viruses that it finds and cleans is a DOOM ][ : virus called "whisper" (I think). It resides in the boot-sector : and occasionally deletes part of your FAT file structure. I bought a copy of DooM2, and it differs from the pirated copy that was going around in that the file dates and times are all 8/29/94 @ 7:56:54PM The pirated copy was dated several days earlier and had different (CRC) DooM2.EXE and SETUP.EXE files. I have allready deleted the pirated copy so can't tell you the date of those files. I don't know anyone that actually had any virus problems with the pirated copy, but have all switched to the official version since the release anyway. The real DooM2 isn't a "bad" program, it's just bloody fun. If you're using the pirated copy, support ID and get yourself an official copy... they deserve your financial support. Good luck with your machine and keep on slaying <:-) - -- So, this is a SIG, eh? | It is better to have a gun and not need it, | than to need a gun and not have it. ------------------------------ Date: Thu, 03 Nov 94 21:32:52 -0500 From: dolson@shore.net (Don Olson) Subject: NAV 3.0 updates ? (PC) I recently quit C$ and am a newbee on the internet. I still need to get NAV3.0 updates from Symantec, but nobody from Symantec seemed interested in responding to my requests on C$ for an internet site where they could be had. I would rather ftp than deal with their stupid BBS, since it usually only connects at 2400 baud lately and the toll call is a killer. Is there a site that carries them thar updates?? - -- So, this is a SIG, eh? | It is better to have a gun and not need it, | than to need a gun and not have it. ------------------------------ Date: Thu, 03 Nov 94 23:33:12 -0500 From: dshaw@martha.washcoll.edu (RaGNaRoK) Subject: Re: Monkey Virus is on our backs... (PC) >detector. Just install into your hard disk and you can totally forget >about the threat of boot viruses. The moment you switch on you PC and Correct me if I'm wrong here, but isn't this a bad frame of mind to have? I will *never* trust *one* piece of software to stop viruses. And I will ALWAYS be looking out for them. IMO, It is highly irresponsible to suggest that users just install program X and then forget about it. Eventually, there *will* be a virus that can evade or even destroy program X. What then? RaG ------------------------------ Date: Fri, 04 Nov 94 07:01:09 -0500 From: Malaquias@gemini.ci.uc.pt (Jose Luis Malaquias) Subject: Re: Forms Virus (PC) "Sean D. Canady (USF)" writes: >I messed up and rebooted my computer with a disk in the floppy and it >gave my the Forms Virus...I got rid of it using Norton Anti Virus, but= >now when I try to run Windows for Workgroups 3.11 it tells me that it >can't find the driver for 32bit access. And it says (i think this is >right) the interupt it u=97=03T We had a similar problem with the form virus and doublespace. We found out the form virus was not in the logical drive created by the= compression program, but in the REAL drive, which doublespace had renam= ed as g: Have you run your anti virus program on that drive? MSAV is quite en= ough. Anyway, the form virus kept coming back to that computer. I suspect som= eone was systematically using an infected disk. Eventually, after a week cle= aning ALL the computers disks, the infection went away. Good Luck Jose Luis Malaquias ------------------------------ Date: Fri, 04 Nov 94 09:14:34 -0500 From: dtheo1@umbc.edu (theo dino) Subject: Re: Virus named Jack Ripper (PC) I just had to deal with Ripper here at work. It is a master boot record infector and it can be destroyed by booting clean and using fdisk /mbr. Also check your floppies, they can be cleaned by sys X: (x is the drive letter of the floppy) If on the other hand, you don't like getting involved like this any decent antivirus product can "clean" the infection. Try F-Prot. Dino ------------------------------ Date: Fri, 04 Nov 94 09:51:50 -0500 From: rc.casas@ix.netcom.com (Robert Casas) Subject: Re: memory scanning (PC) Iolo Davidson writes: > > Veldman@esass.iaf.nl "Frans Veldman" writes: > >> Iolo Davidson writes: >> >> > clotsche@coh.fgg.EUR.NL "Pim Clotscher @ COH" writes: >> > >> >> Where can I get objective information about the thunderbyte >> >> anti-virus package? There was a review/test in Virus Bulletin of >> >> july 1994, but I have no access to that information. Can anybody >> >> tell the conclusion / strong points, weak points, etc.? >> > >> > I expect Richard Ford will be along to summarize the VB test. >> > >> > In a test in SECURE Computing (I'm technical editor) of *just* >> > the ability to find viruses in memory, which is important for >> > combating stealth viruses, Thunderbyte came off worst of the ten >> > products tested, with a score of 2 out of a possible 24. >> >> As a 'technical editor' you are acting rather unprofessional. > >This is libelous and actionable. > >I have discussed your message with the editor of SECURE >Computing, Paul Robinson, who has said two things of substance: > > 1- SECURE Computing stands by its review. > 2- He does not want me to get into a public argument with you. > >In view of your public attack on my professional reputation, I >have refused to accede to his second point. This reply >therefore comes from me personally, and not as a representative >of SECURE Computing. > >> It is a good custom to respect a developers' motivation >> about the design of his product. > >In journalism it is the custom to examine issues that the >journalist thinks relevant without paying too much attention to >the excuses of those being examined. I, for one, agree completely with Frans Veldman's position. A journalist's reporting is misleading and uninformative when she/he evaluates an issue ( or a product ) without regard for the conceptual and historical context of the issue discussed. When reporting an issue without benefit of such "context" the article becomes a vehicle for expression of the author's bias and "pique" to use your own word. It would appear to me that your position is a reflection of the changed "ethic" underlying journalism over the past few decades as media sensationalism and issue advocacy have increasingly taken the place of objective reporting. The _only_ fair way to objectively report the limits of TBAV is to do so in the context of explaining what TBAV is, or is not, designed to do. Your failure to see this reflects your "ethic" of reporting which I consider, at best, "immature." I am not in the least interested in what "the journalist thinks relevant." Material guided by this motive belongs on an editorial page. It does _not_ belong in an article that purports to be "objective." Since you were conducting a review of different AV products the value and importance of "context" assumes an even greater didactic and factual importance. Many AV products do _not_ share the same conceptual assumptions regarding the best methods for dealing with viruses. A clear expalanation of these differences would have been valuable and quite informative. Reporting your "tests" against the background of such conceptual differences in approach to Av would have served your readers well. It would have made your task as a reporter more complex....but it would have educated and informed your readers. The rest of your post does not deserve reply. After all, you state, "And since you have libeled me, I omit your excuses from this reply in a fit of pique." Since the remainder of your reply is motivated by "pique" I will ignore it as such. - ------------------------------------------------------------------------ Robert C. Casas, Ph.D. rc.casas@ix.netcom.com < or > 73763.20@compuserve.com ________________________________________________________________________ ------------------------------ Date: Fri, 04 Nov 94 09:53:46 -0500 From: gcluley@sands.co.uk Subject: Re: Looking for Dr. Solomon upgrade (PC) Date: Thu, 27 Oct 94 22:52:36 -0400 From: Zeppelin@ix.netcom.com (Mr. G) Subject: Re: Looking for Dr. Solomon upgrade (PC) Zeppelin@ix.netcom.com (Mr. G) writes: > bfbrown@teal.csn.org (Brian Brown) writes: > >My company has undergone severe re-organization and even a move > >of location. As a result, all of our docs/disks from Dr. Solomon's > >(S&S) DOS-based virus utilties are gone. All we have resident is an > >11-month-old set of .DRV and .EXE's, which remind us constantly that > >they are out of date. I have finally taken it upon myself, having > >been burned badly once by Michaelangelo, to find the new versions. > > > >In its on-line-help, Dr. Solomon's indicates upgrades are available > >via a bulletin board. Does such a board or FTP site exist? Can > >someone point me in the right direction? > > > >Email responses to brian@t1sys.com are appreciated, since our > >internet firewall is mail-only for the time being, and I have to call > >a dialup service provider to read news. > > Go to OAK.Oakland.edu SimTel/msdos/virus > -Zep- Err.. I don't know if Dr Solomon's driver files are available on oakland.edu, but I definitely know they *shouldn't* be. Dr Solomon's is a commercial product, and driver files are only available for download to registered users of the product. As I reminded in an earlier post it is a very good idea to keep the virus-scanning engine (FINDVIRU.EXE) updated at the same time. To upgrade the engine you will probably need to resubscribe. If you're based in the States a good point of contact for you is: S&S Software International, Inc 27660 Marguerite Parkway, #C-250 Mission Viejo CA 92692 USA Tel: 714 470 0048 Fax: 714 470 0018 email: 72714.2252@compuserve.com Compuserve: 72714,2252 Regards, Graham - - --- Graham Cluley [gcluley@sands.co.uk] S&S International PLC Product Specialist Alton House, Gatehouse Way Dr Solomon's Anti-Virus Toolkit Aylesbury, Bucks HP19 3XU Tel: +44 (0)1296 318700 United Kingdom Dr Solomon's, winner of the Queen's Award for Technological Achievement. ------------------------------ Date: Fri, 04 Nov 94 16:15:22 -0500 From: jch9@po.cwru.edu (Jackson Harvey) Subject: Re: Exebug apparently surviving boot (PC) >But Exebug can spoof a cold boot. It forces the computer to >start booting from the hard disk even though you think it it >booting from the floppy. Once it has loaded and run the >partition sector (MBR), getting the virus into memory and active, >then it continues the boot from the floppy so you are none the >wiser. For this reason, anti-virus scanners have to be able to >detect Exebug in memory. Excuse my ignorance, but how is this accomplished (possible)? If a computer is set to boot from floppy, and then from hard disk if a floppy is not available, how does the virus 'gain control'? Thanks, Jackson Harvey +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Jackson Harvey | 754-1727 | Secretary - Class of 1995 | EEAP-CWRU "One if by LAN, two if by C." - -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- ------------------------------ Date: Fri, 04 Nov 94 17:10:23 -0500 From: Tripp@richmond.infi.net (Tripp Lewis) Subject: Re: Virus writers? (PC) "Frans Veldman" says: >Excuse me? TBAV is written by me, but I'm not and have never been a >virus writer. Never written a virus? Not even a one to research a new idea? ------------------------------ Date: Fri, 04 Nov 94 19:21:16 -0500 From: kfb2@Lehigh.EDU (Keenan Brock) Subject: contracting monkey/boot sector virus (PC) How exactly do you catch a virus like monkey? I always boot from my harddrive. I don't see when code from the infected disk is run. A dir command executes code on my hard drive. When is code in the virus run? pointers to sources of information would be helpful aswell. keenan brock kfb2@lehigh.edu ------------------------------ Date: Fri, 04 Nov 94 21:12:30 -0500 From: CLEM@UTKVX.UTCC.UTK.EDU Subject: joke named Perv -Virus?? (PC) I was scanning our network for viruses today and found some sort of virus called "joke named Perv". Does anyone have any clue as to what this is? I was using Thunder Byte Anti-virus (v6.25) to scan the network. We did encounter Kaos4 today also, but I'm not sure if "joke named Perv" is related or not. Thanks, Scott clem@utkvx.utk.edu ------------------------------ Date: Fri, 04 Nov 94 21:49:11 -0500 From: achwong@hkusub.hku.hk (Albert C. H. Wong) Subject: Help! Filler, GenB, GenP viruses (PC) I really do not have any idea on how to remove Filler/GenB/GenP viruses from my PC. It is a mysterious matter. When just started my PC, I used Virusscan v117 to scan viruses and there was no discovery. However, when checking for viruses the second time using Virusscan v117 again, the viruses came out. Then, all I could do was to reboot my PC with a clean Virusscan floppy disk. However, there was still no discovery even I checked it several times. The viruses could only be detected again after I ran some programs from my fixed drives. But I was unable to clean them. Then, I used a newer version of Virusscan (v212) for virus checking. But nothing can be detected anymore. They cannot be detected also by using Thunderbyte Anti-virus utilities. Could anyone give me advice on this? Especially on how to clean the viruses? Otherwise, I have to format my harddisks which I extremely do not want to do. Any comments will be greatly appreciated. - -- {^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^} { Albert Wong } { Mobile and Radio Communication R & D Group } { University of Hong Kong } { achwong@hkueee.hku.hk } { achwong@hkusub.hku.hk } ^^^^^^^^^OOO^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^OOO^^^^^^^^^^^@@@@@& ------------------------------ Date: Sat, 05 Nov 94 04:59:27 -0500 From: Michel.Carbon@univ-lille1.fr (Michel Carbon) Subject: GenB virus alert (PC) I have avirus : GenB. I have detected it with scan117, on a floppy disk. how can I eradicate it , on my floppy disk? If there is a cleaner for that, where can I have it? Thanks in advance. Michel ------------------------------ Date: Sat, 05 Nov 94 04:05:20 -0500 From: kenney@netcom.com (Kevin Kenney) Subject: Re: DOOM II (PC) There have been posts on the Doom group stating that Doom's request to not use smartdrv be taken seriously. When run in DOS under Windows, something about the way it saves can lead to corrupt files. I think this was a problem in the pirate Beta. It's been a while since I read about it, so I may not have the details correct, but I'm fairly certain you just have Doom-related file corruption, and not a virus. I'll see if I can find more data, and repost. Good Luck ========================= KILL THE PARANOIDS Have fun! A Public Service Message, making paranoids happier, All standard disclaimers: apply! by letting them know that they are right. :o -> :> kenney@netcom.com ------------------------------ Date: Sat, 05 Nov 94 07:14:50 -0500 From: "R. Wallace Hale" Subject: Re: Virus desactivation or cleaning (PC) On Mon, 31 Oct 94 09:03:27 -0500, Pierre Berbigier wrote: > > Antivirus researchers don't seem to be interested in publishing virus > catalogs while they all complain about Patricia Hoffman's dictionnary: Doubt that it's a case of disinterest; more likely due to the rather daunting nature of such a task and the resources necessary to produce an adequate catalogue. > However, knowing that you've been hit by Form.A that is often harmless > and can be cleaned or by Jack the Ripper which swap bytes in the write > buffer every ~1000 write is very usefull for the end-user: In the latter > case, you cannot clean, you can only prevent further infection. > >As an end-user, I need to know summary infection method : boot(MBR or DBS) >parasitic (which files), multipartite, whether the virus is memory resident, >which scanner/version detects this virus, in order to deactivate it. Seems to me that Vesselin last reported a number in excess of 6300 known viruses. IF one had specimens of all of those, and IF one had copies of all currently available scanners, and IF one had the human and hardware resources to perform adequate detection tests, I seriously doubt that the results could be posted before new versions of the AV tools were released and new viruses appeared to render the testing invalid. >I'm not interested in knowing which interrupt vector it hooks, as long as I >know it is memory resident and infects such files/media. But I need to know >how much destructive it is and what might have been corrupted. > >Dear virus researcher, Please, provide us with such tools !!! If valid information was available on just the viruses that are actually in the wild it should be of tremendous assistance. It would seem to me that such data could be readily compiled, given the resources available in this list. I do think the topic is worth exploring. R. Wallace Hale halew@nbnet.nb.ca Mihi ego video, mihi ego sapio. ------------------------------ Date: 04 Nov 94 18:09:39 +0000 From: a_rubin@dsg4.dse.beckman.com (Arthur Rubin) Subject: Re: Exebug apparently surviving boot (PC) Iolo Davidson writes: >But Exebug can spoof a cold boot. It forces the computer to >start booting from the hard disk even though you think it it >booting from the floppy. Once it has loaded and run the >partition sector (MBR), getting the virus into memory and active, >then it continues the boot from the floppy so you are none the >wiser. For this reason, anti-virus scanners have to be able to >detect Exebug in memory. How can Exebug spoof a cold boot? (I am not asking this to try determine how to write such a virus, it's just that I don't understand you it is possible.) - -- Arthur L. Rubin: a_rubin@dsg4.dse.beckman.com (work) Beckman Instruments/Brea 216-5888@mcimail.com 70707.453@compuserve.com arubin@pro-sol.cts.com (personal) My opinions are my own, and do not represent those of my employer. This space intentionally left blank. ------------------------------ Date: Sat, 05 Nov 94 12:09:51 -0500 From: Zeppelin@ix.netcom.com (Mr. G) Subject: Re: DOOM II (PC) Bert.Martin@UAlberta.CA (Bert Martin) writes: > >I have a 486 with 46 corrupt files, mostly WINDOWS files. >Many more must be corrupt as the system hangs on most DOS commands. >F-PROT 2.14 detected nothing(except the corrupt files) from a clean boot. >VIRUSCAN 9.24 v116 found nothing. >CPAV hung on a file with sector not found. >DOOM II was found on this machine. >Could this be just a coincidence? >Has anyone found an actual virus directly related to DOOM II or >if DOOM II is the culprit, is it simply a BAD program? >Please respond to me directly or this forum. >Flames welcome, just include some FACTS to help me out. ;) >Thank You for all responses. >==================================================== ___O >Bert Martin # BOOT HUMOR: # \ > /__,/ Plow >University of Alberta # keyboard error # \ / / the >(403)-492-5356 # Press F1 to RESUME # \ * Powder! >===================================================== \, > > Bert; In the PRE-JULY version of DOOM ][, the file Detect.com had the Godlbug virus attached to it. Now, from what I understand, there may be a new DSME (Dark Slayer Mutation Engine) out there that has Skunk Works type Stealth ability. I have recently had to do several restores from something that I cannot find. Also, there is a new Stoned out, and it is very corruptive. -Zep- ------------------------------ Date: Sat, 05 Nov 94 12:12:31 -0500 From: Zeppelin@ix.netcom.com (Mr. G) Subject: Re: Alphastriker?!!? - HELP (PC) mt0001%albnyvms.BITNET@uacsc2.albany.edu writes: >Hi - I recently ran the latest version of F-prot and it detected >Alphastriker. I then chose the "automatic disinffect" option, and >the program did its thing. The hard drive is now virus-free, but >there are problems! Windows wont start, and emm386 is reporting some >sort of errror, and then haulting the system. I know that many key >files were infected (command.com, win.com, etc.) could they be >permanantly damaged. Where do I start with repairing my system?! >Any help is really appreciated !! (on the virus, or what to do now) >Thanks alot - pls. post response OR email me. I suggest that you pull out that BACK UP the you did last month. You do back up monthly don't you. -Zep- ------------------------------ Date: Sat, 05 Nov 94 12:13:27 -0500 From: Zeppelin@ix.netcom.com (Mr. G) Subject: Re: Help needed with PINWORM (PC) m.brown@imperial.ac.uk (Mr M.J. Brown) writes: > >Zvi Netiv writes: >> -=> Quoting Jay Fuller to All <=- >> >> JF> I've had a caller report to me on my system he is infected with >> JF> pinworm ,and he is really anxious to get a clean for it. is there a >> JF> clean out anywhere which will totally get rid of Pinworm? > >[cut for brevity] > >> Pinworm is in the wild for already 6 to 8 months and although samples >> were sent to most leading AV developers, there is not one signature >> scanner that I know of at this moment that detects it in files. > >Sweep from Sophos definitely does detect it -- I know, because I added it. >It's been there for at least three months. > >> A few instruction to get it right at the first shot: As Pinworm is >> heavily encrypted and polymorphic > >Rubbish. Pinworm is pretty pathetic as polymorphic viruses go -- it >exhibits little variation in the code it generates, and it's very easy >to detect. > >- -Matt > > Is Sweep free ?? Is there an FTP site for it ?? -Zep- ------------------------------ Date: Sat, 05 Nov 94 12:14:23 -0500 From: Zeppelin@ix.netcom.com (Mr. G) Subject: Re: MtE virus (PC) charlesb@bedford.progress.COM (Charley Boudreau) writes: > Can anyone give me any info on the MtE virus. I was infected with it >yesterday. InocuLAN cleaned it up nicely, but I'd like to know what damage it >was trying to do and any technical info on it. > > Hwo could you get infected by the MTE ?? Every AV product out there (TSR) see's it ?? I suggest that you start running a TSR package REAL SOON ! -Zep- ------------------------------ Date: Sat, 05 Nov 94 23:44:07 -0500 From: Brendan Bartlett Subject: Can a virus spread like this? (PC) Recently I have come in contact with a novell network that seems to have a few viruses on their PCs. While I and a few of my friends were getting rid of the viruses, my friend commented that he thought he was spreading the one of the viruses to other machines. My question (if anyone knows that answer, that is) is What dos DOS read into memory from a floppy when all you do is a simple directory listing? Is control ever passed over anywhere on the disk (I can't imagine why, but I can't imagine why DOS is the way it is)? I do know that DOS reads in the boot sector every time it touches the disk (to get the # of sectors, etc), but control is only passed over to that when you boot. - Anyway, simply putting your floppy disk in a known infected machine (lets say with the Boot 437 virus) typing DIR (ok, now the disk can be infected my a memory resident virus) and then going over to a clean machine and typing DIR on that machine doesn't infect that machine, right? - -Thanks for any reply. ------------------------------ Date: Sun, 06 Nov 94 02:22:06 -0500 From: jbourne@epaus.island.net (James Bourne) Subject: Re: stoned - Monkey (PC) David Garcia (dlgarcia@dorsai.dorsai.org) wrote: : Kahrs, Christian 7-95 (kahrs@gribb.hsr.no) wrote: : : To anyone out there : : I have a problem with my PC. I'm stoned.... by monkey and not : : something good. : : What can I do to get rid of this problem????? : I just had that on my laptop last night. It hits the boot sectors of : the hard disk and the floppy drives. I tried using clean-up to remove : it from a floppy, but it said that it couldn't safely be removed. : But all things considered, I would rather have spent the day at the mall... : - --- : David Garcia (dlgarcia@dorsai.dorsai.org) I had a stoned virus on the HDD of my desktop and got rid of it. Try f-prot, developed by Fredrick Skulason in Iceland. It is a scanning antiviral program that can detect almost any know virus and disarm most. It is available from MERIT and mirror sites. - -- __________________________________________________________________ | | | | Jim Bourne | There is no reason to be crude | | jbourne@epaus.island.net | rude and socially unacceptable | | | -IT'S JUST FUN!!!! | |_________________________________|________________________________| 'This is indeed life itself!' The Oval Portrait - E.A.P. ------------------------------ Date: Sun, 06 Nov 94 04:24:40 -0500 From: piyasw@morakot.nectec.or.th (Piyasiri Wickramasekara) Subject: Unzipping invb601.zip (PC) Greetings. I downloaded invb601.zip programme using ftp but I cannot unzip it. Pkunzip does not recognize it. Norton Commander unzipped a few files including install.exe but installation does not run. It says programme files not found. I shall appreciate any help you could give me. I could not locate a faq on this. Thanks and regards. [Moderator's note: I suspect that you didn't FTP the file as an 8 bit (aka "binary") image file.] ------------------------------ Date: Sun, 06 Nov 94 09:09:23 -0500 From: Zeppelin@ix.netcom.com (Mr. G) Subject: Re: The InVircivle Anti-Virus Expert System v6.01 (PC) rc.casas@ix.netcom.com (Robert Casas) writes: > >frankj@tv.tv.TEK.COM (Frank Jazowick) writes: > >> I just have heard about the 'new' anti-virus program called >>The InVircivle Anti-Virus Expert System v6.01... >> >> It just came out of Israel and is being used by Australia and >>New Zealand. >> >> So as anyone heard of this program and how good it is as >>compared to well-known shareware and commerical anti-virus >>programs????? > >Hi Frank: >I just sent this off in reply to another post about InVircible. You >might find it interesting , too. > >>Hi readers..... > >> >F-PROT is a very good scanner. So, too, are TBAV and AVP. However, >InVircible is not really an AV product designed around the concept of >"scanning" to detect viruses so that you can remove them. This is >probably one of the most difficult ideas that people familiar with >traditional AV tools - such as F-PROT, TBAV, and AVP - will have to >deal with to understand and accept InVircible. > >InVircible does have a virus scanner (IVSCAN) but it is designed to >detect common viruses. Also, it does not work with "signatures" or >"heuristics" in the way most "scanners" do. In any case, IVSCAN is not >the most interesting or powerful feature of InVircible. I have been using IV for about a week, and was pleased with its graphical approach as well as its speed. I used the IVINIT, IVB, IVSCAN at boot up, and felt secure. Well, being a little paranoid, I kept my Registered TBAV,TBMEM active as my only TSR. No PROBLEMs, yet. So this week, after having to rebuild a friends HD after a Whisper attach, I decided to add TBcheck and TBfile to my active TSR's. Here is where it got sticky. Upon bootup, after TBMEM/TBCHECK/TBFILE were active , IVINIT sent a flag to TBAV. Several in fact. Then IVB started sending flags (warnings) to TBAV, and TBAV told me that IVB was trying to rename Command.com to @!$&.com (this is no shit), and would I like to stop it. The first time I said no, and IV went on to remane 6 different files from DOS and set them in my root directory. When all the TBAV/IV flags stopped, my system hung telling me that it could not find a command interperter. I booted from my Norton Utilities Rescue Disk (not the one IV made), and did a SYS c: to restore my missing Command.com. I then went to Norton Commander and viewed the Drive. I found that the 6 files were 6 bytes long, and named like that of a "Stoned Marked," file. I deleted them, and restored the renamed files with my 6.22 setup disks. I have removed IV from my autoexec.bat, but not from the HD, YET. I plan on trying the IVSCAN a little later, after I get a response from this post from the author. ------------------------------ Date: Sun, 06 Nov 94 14:08:39 -0500 From: frisk@complex.is (Fridrik Skulason) Subject: Re: VCL?? (PC) Tripp@richmond.infi.net (Tripp Lewis) writes: >Close them down? Why? how the hell do you think all the av companies >can put 50-80 scan strings in their software per update? You think they >find them in the wild? Take another guess! In our case: 5% we get initially from "in the wild" situations. Those viruses are the most serious ones....the users got them before we did, and they get the highest priority. This percentage has been constantly dropping...it used to be over 30% back in '89. 35% we get from wellow CARO members - some of those viruses are from the wild too, of course. We regularly exchange virus samples with people in this group. 25% we get from other researchers outside CARO. Many of those may have been downloaded from VxBBSes .... I can not say for sure, but at least we have a policy of never downloading samples from VxBBSes. In fact I have a personal policy ov NEVER calling a BBS anywhere myself...so, SysOps, please note .... any "Fridrik Skulason" you have in your userlist is not me..... :-) 35% we get directly from the virus authors, or from people thar are somewhere in the "gray area" ... give viruses to virus writers as well as anti-virus authors. I guess the numbers are pretty similar for many other anti-virus companies. - -frisk Fridrik Skulason Frisk Software International phone: +354-1-617273 Author of F-PROT E-mail: frisk@complex.is fax: +354-1-617274 ------------------------------ Date: Sun, 06 Nov 94 17:04:56 -0500 From: cowen@moosilauke.dartmouth.edu (Charles Owen) Subject: Re: Removing boot sector virus from B: (CANSU/V-sign) (PC) Russell Owsianski wrote: )Hi all, recently, I found a boot sector virus on a 3.5" floppy. Scan211e )calls it CANSU, fp214 calls it V-sign. Neither scan211e /clean nor )clean117 can remove it. :( ) I was also recently infected with CANSU which is what Norton AV called it. I cleaned it just fine, but am wondering what CANSU does? Could it have caused problems in the system? We got it because my wife formated a disk at a school where she teachs a class on a machine found to be infected. When she booted with the floppy in by accident it infected the machine. Ctrl-Alt-DEL will infect any floppy in the drive, BTW. - -- | Charles B. Owen Charles.B.Owen@dartmouth.edu | | Dartmouth College Home: 603-448-5677 | | 6211 Sudikoff Laboratory, Rm 108 | | Hanover, NH 03755 | ------------------------------ Date: Mon, 07 Nov 94 00:19:29 -0500 From: jrice@pluto.pomona.claremont.edu Subject: Virus Info via Winhelp (PC) Hello, all. I've just completed a "first release" of a virus info sheet using Windows 3.1 Help file. This was intended as a document for use on campus here, for a user group with little or no experience with viruses. Anyway, my point: I'm not an expert on viruses, although I do have some experience with them. If anyone's interested, I'd like for a few people of various levels to read this over and let me know what they think: if I've been too brief in the interests of simplicity, or just dead wrong. Anyway, if you are interested, email me and I'll fill you in. Thanks, Jeff Rice Office of Information Technologies Pomona College ------------------------------ Date: Thu, 03 Nov 94 09:43:42 -0500 From: JFORD@UA1VM.UA.EDU Subject: File listing for risc.ua.edu Its been awhile since I've posted to the list about IBM antiviral files located on risc.ua.edu. Below is a current listing of available files. If you see some files that are out of date please let me know. If an update is available please direct me to the anonymous FTP site. Risc.ua.edu's archives are now available via Gopher (gopher risc.ua.edu) or Mosaic via the URL gopher://risc.ua.edu - -- James - --------------------------------------------------------------------- Listing of risc.ua.edu for Wed Nov 2 12:35:00 CST 1994 /pub/ibm-antivirus - ------------------ cache (ignore) cvc792am.zip mtetests.zip vc300lte.zip cache+ (ignore) cvc792ma.zip mythsv10.zip vcheck11.zip cap/ (ignore) cvc792ms.zip nav21upd.zip vchk23b.zip 0files.index cvcindex.zip nav30upd.zip vdetect.zip 0fprot.note dir2clr.zip nsh152a.zip vds210t.zip 0mcafee.note ds231b.zip secur235.zip virlab15.zip 20a10.zip fixutil5.zip sentry02.zip virpres.zip Mirrors/ fp-214.zip stealth.zip virsimul.zip Valert-l.readme fshld15.zip tbav626.zip virstop.zip Virus-l.faq fsp_184.zip tbavw626.zip virusck.zip Virus-l.readme gs.zip tbavx626.zip virusgrd.zip aavirus.zip hack1192.zip tbfence3.zip virx293.zip allmsg.zip hs-v358.zip trapdisk.zip vkill10.zip avp_107b.zip hs35.zip unvir902.zip vshell10.zip avs_e224.zip htscan20.zip uxencode.pas vsig9305.zip bbug.zip i_m231b.zip v-faq.zip vstop54.zip bootid.zip innoc5.zip vacbrain.zip vtac48.zip catchm18.zip killmnk3.zip vaccine.zip vtec30a.zip ccc91.zip langv106.zip vaccinea.zip wcv201.zip chk.zip m-disk.zip validat3.zip wp-hdisk.zip chkint.zip msg_9_12.zip vc300ega.zip ztec61b.zip /pub/ibm-antivirus/Mirrors/complex.is - ------------------------------------- README bars.zip list.zip puzzle.zip Technotes/ drinfo.exe nov94.txt xxdecode.c ad_video.sys fp-214.zip pgp261.zip xxencode.c /pub/ibm-antivirus/Mirrors/mcafee/antivirus - ------------------------------------------- 00-INDEX.TXT clean117.zip osc-212e.zip strtl3.exe wscan117.zip 3ns161rc.zip dat-212.zip oscan117.zip vir117b.zip 3nsh160.zip killmnk3.zip scanv117.zip vsh-212e.zip 4ns161rc.zip libup3.exe scn-212e.zip vshld117.zip 4nsh160.zip ocln117.zip sentry02.zip wsc-212e.zip /pub/ibm-antivirus/Mirrors/mcafee/utility - ----------------------------------------- 00-INDEX.TXT mcf100.zip target15.zip wpv102a.zip ccp11.zip pv12.zip tcm100b.zip /pub/ibm-antivirus/Mirrors/mcafee/vsum - -------------------------------------- INDEX.TXT vsumx409.zip ------------------------------ End of VIRUS-L Digest [Volume 7 Issue 93] *****************************************