VIRUS-L Digest Monday, 5 Dec 1994 Volume 7 : Issue 96 Today's Topics: Viruses in newsgroups - how can that be? Re: Virus Laws Virus writers? Re: What's a Logic Bomb ? Re: Viruses via usenet! alt.comp.virus OS/2 Virus Susceptability? (OS/2) Re: Recommendations (?) on OS/2 Scanner/Disinfector (OS/2) Re: DOOM II (PC) Re: File listing for risc.ua.edu (PC) FORM virus on Doublespaced Drives (PC) Re: VCL?? (PC) Info on Teletype Virus (PC) Re: AV Lab (PC) Re: NAV 3.0 updates ? (PC) Re: invb601a.zip - The InVircible Anti-Virus Expert System v6.01A (PC) Re: Need Help with Stoned Virus (PC) Re: NAV 3.0 updates ? (PC) Re: Telecom virus (PC) Re: "The Tojo Virus" by Randall (PC) Virus-Made Directories (PC) Re: GenB virus alert (PC) Re: Vacsina v 5 ?!? Info wanted!!! (PC) Trident virus info? (PC) MSAV / F-Prot comparison (PC) Best form of Virus Protection? (PC) Re: PC drops out of Windows. Virus? (PC) Re: Mouse ports (PC) Re: AV lab (PC) RE: invb601a.zip - The InVircible Anti-Virus Expert System v6.01A (PC) Help! Filler, GenB, GenP viruses (PC) Re: GenB virus alert (PC) Protection... (PC) Re: NCSA hasn't heard of Viking virus (PC) HELP: Writing an anti-virus (PC) Re: Anti-CMOS Virus Infection - HELP! (PC) Re: DOOM II (PC) help! virus on Nov.15th ??? (PC) NATAS Virus Alert! (PC) Re: Virus Alert -- NATAS. (PC) Re: DOOM II (PC) Network Antivirus NLM's / need advise (PC) memory scanning (PC) fp-215.zip - Version 2.15 of the F-PROT anti-virus program. (PC) bull-215.zip - ASCII-version of F-PROT 2.15 Update Bulletin (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CORSA.UCR.EDU (IP number 138.23.166.133) or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CORSA.UCR.EDU. Administrative mail (e.g., comments, suggestions, beer recipes) should be sent to me at: krvw@ASSIST.MIL. All submissions should be sent to: VIRUS-L@Lehigh.edu. Ken van Wyk ---------------------------------------------------------------------- Date: Wed, 16 Nov 94 12:27:44 -0500 From: kwwu@hkusub.hku.hk (Wu Kwok Wai) Subject: Viruses in newsgroups - how can that be? I have come across a lot of materials which mentioned that virus could be spreaded through newsgroup, how can that be possible? I would appreciate if someone may inform me on that so that I could be well prepare when it strike next time. Best Regard Peter Wu [Moderator's note: Simple - uuencoded files being posted as messages to the group. Same method used to post digitized pictures to other groups. There's no harm to the casual reader - unless s/he uudecodes the viruses (or pictures! :-) and runs them.] ------------------------------ Date: Wed, 16 Nov 94 13:21:34 -0500 From: parvo@netcom.com (Digital Justice) Subject: Re: Virus Laws NCOE7 wrote: >I am looking for sources of information concerning computer virus > laws in the United States. >From what I know...there isn't any yet. The only thing illegal involving a "computer virus" is the intentional spreading or "passing on" of one to another party with the intention of spreading it or causing damage. It is NOT illegal to write, possess, trade, study, compile or anything else a virus. But if you intend to cause some sort of damage with it, then there's a problem. Also the damage is limited (under federal law) or government computers and banking institutions. That it? - -- +---------------------+--------------------------------------------+ : Digital Justice : "I TOLD YOU NOT TO BE STUPID, YOU MORON!" : : INFES-Station SysOp : : : NuKENet '94 : Ben Stern : +---------------------+--------------------------------------------+ ------------------------------ Date: Thu, 17 Nov 94 01:14:18 -0500 From: "Frans Veldman" Subject: Virus writers? Tripp@richmond.infi.net (Tripp Lewis) writes: >"Frans Veldman" says: >>Excuse me? TBAV is written by me, but I'm not and have never been a >>virus writer. >Never written a virus? Not even a one to research a new idea? Why should I? Programming is for 80% thinking about a concept or an idea, and only 20% for the actual implementation. When implementing it, you have already done the intellectual part of the job. Of course I have spent many hours to think about that "they" can do in their next viruses. It was obvious for me that it is possible to create a polymorphic virus long before the first one actually appeared. But this doesn't mean that I had to write a full fledged polymorphic virus to imagine that it is possible! Other virus researchers (and even virus writers!) have this experience. I bet that many people have thought about stealth viruses before someone actually implemented such a thing. CARO members often meet each other at conferences, and among the many things we do we sometimes perform a "nightmare session". In a nightmare session we sit and drink together, and think about all kind of nasty things virus writers can do to make our life (or their victims life) much harder. And we also think what we can do against it, in case it is needed. Many of our "nightmares" have come true (in which case we were already prepared for it), but many didn't (yet). When we would have been virus writers... Oh boy... Anyway, it isn't necessary at all to create a virus just to understand or imagine a new concept. We leave that step to the virus writers. It saves us a lot of time. - -- Thunderbye, Frans Veldman <*** PGP 2.3 public key available on request ***> Frans Veldman Phone (ESaSS) + 31 - 80 787 881 veldman@esass.iaf.nl Fax (ESaSS) + 31 - 80 789 186 2:280/200.0@fidonet Fax (VirLab) + 31 - 59 182 714 ------------------------------ Date: Thu, 17 Nov 94 12:26:07 -0500 From: torh@central.sussex.ac.uk (Tor Houghton) Subject: Re: What's a Logic Bomb ? Billy Nadeau (billy@step.polymtl.ca) wrote: > But I don't know what's a Logic Bomb. Can anybody tell me what it is > and how it strikes ? Generally, a logic bomb can be described as a piece of code which is hidden somewhere (boot block, or executable), which, at a preset time, does something malicious (wiping disks, corrupting files, etc.). Logic bombs usually differ from viruses in that they don't reproduce. They are also, unlike viruses, placed into a system for a purpose (a virus writer usually releases his virus 'unto the masses' to see how far it gets, a logic bomb writer releases his bomb into a specific system for some specified purpose). Er, hope this helps! Tor. - -- - ----------------------------------------------------------------------------- email: torh@cogs.sussex.ac.uk "Old England is dying." - The Waterboys - ----------------------------------------------------------------------------- ------------------------------ Date: Thu, 17 Nov 94 14:14:09 -0500 From: thornton@nbnet.nb.ca (Bev Thornton) Subject: Re: Viruses via usenet! alt.comp.virus On 16 Nov 1994 14:52:02 -0000, jrice@pluto.pomona.claremont.edu writes: > What is the situation with the group alt.comp.virus? >Today I have seen the code of no less than 4 viruses posted in >the group, with no signs that this will stop. How can this be >permitted, being, as it is, illegal in quite a few countries? >Let's be honest, these people are not researchers....so great, >we've got a virus-exchange center in Usenet. Yeah, they do that there but there is argument over it. People on that list helped me clean a new virus off my system. This list was down. See You Later, Bev thornton@nbnet.nb.ca ------------------------------ Date: Thu, 17 Nov 94 03:03:07 -0500 From: maf10@po.CWRU.Edu (Moses A. Fridman) Subject: OS/2 Virus Susceptability? (OS/2) Does anyone know how DOS viruses such as Monkey would behave under OS/2? Does anyone know of native OS/2 viruses, or virus scanners? Thanks, Mo - -- Once you realize life is futile, you can start enjoying it. Moses A. Fridman, Physics Major Case Western Reserve University ------------------------------ Date: Thu, 17 Nov 94 11:57:22 -0500 From: "Yann Stanczewski (914-759-3117)" Subject: Re: Recommendations (?) on OS/2 Scanner/Disinfector (OS/2) Dave/Bruce, Just wanted to make some clarifications to your append. >I've used IBM AntiVirus/2 for OS/2, and it seems to be satisfactory. I think >that it will detect but cannot disinfect the Monkey virus, but it does detect >and kill a great many others. There's an IBM AntiVirus center, but I don't >know the number off the top of my head. IBM AntiVirus/2 (and IBM AntiVirus/DOS) 1.07 *does* remove the Monkey-1 and Monkey-2 viruses (aka Monkey-A and Monkey-B), and has done so for a couple of releases. If there are customers who were not able to use IBM AntiVirus 1.07 to clean up a Monkey infection, we would certainly like to know more about it. For further information or assistance about the IBM AntiVirus product: 1-800-742-2493. Yann Stanczewski IBM/ISSC AntiVirus Services ------------------------------ Date: Wed, 16 Nov 94 09:57:55 -0500 From: Zeppelin@ix.netcom.com (Mr. G) Subject: Re: DOOM II (PC) dolson@shore.net (Don Olson) writes: >Bert.Martin@UAlberta.CA (Bert Martin) wrote: >> I have a 486 with 46 corrupt files, mostly WINDOWS files. >> Many more must be corrupt as the system hangs on most DOS commands. >> F-PROT 2.14 detected nothing(except the corrupt files) from a clean boot. >> VIRUSCAN 9.24 v116 found nothing. >> CPAV hung on a file with sector not found. >> DOOM II was found on this machine. >> Could this be just a coincidence? >> Has anyone found an actual virus directly related to DOOM II or >> if DOOM II is the culprit, is it simply a BAD program? >> > >There is an infected version of the pirated version of DooM2 that was >uploaded to a few sites, as I understand it. From a.g.d: > >Todd Munk (tmunk@sdcc10.ucsd.edu) wrote: >: I recently got the new F-PROT virus protection software. Include >: in the variety of viruses that it finds and cleans is a DOOM ][ >: virus called "whisper" (I think). It resides in the boot-sector >: and occasionally deletes part of your FAT file structure. > >I bought a copy of DooM2, and it differs from the pirated copy that >was going around in that the file dates and times are all 8/29/94 @ 7:56:54PM > >The pirated copy was dated several days earlier and had different (CRC) >DooM2.EXE and SETUP.EXE files. I have allready deleted the pirated copy >so can't tell you the date of those files. I don't know anyone that >actually had any virus problems with the pirated copy, but have all switched >to the official version since the release anyway. > >The real DooM2 isn't a "bad" program, it's just bloody fun. If you're using >the pirated copy, support ID and get yourself an official copy... they >deserve your financial support. There was a file named Detect.com in the pre july Pirated version of Doom ][, and it had the Gold Bug in it. It was supposed to detect your modem for online play. -Zep- ------------------------------ Date: Wed, 16 Nov 94 11:15:17 -0500 From: padgett@goat.orl.mmc.com (Padgett 0sirius) Subject: Re: File listing for risc.ua.edu (PC) JFORD@UA1VM.UA.EDU writes: >Its been awhile since I've posted to the list about IBM antiviral files >located on risc.ua.edu. Below is a current listing of available files. >If you see some files that are out of date please let me know. If an >update is available please direct me to the anonymous FTP site. Quite far out of date, the current version of DiskSecure is 2.42 (though if you are running 2.40 or later I would not bother changing) and FixUtil6 has been available for over a year (the only update has been to FixFBR which is @ v2.1 now). Both are on oak.oakland.edu in pub/msdos/virus (DSII242.ZIP and FIXUTIL6.ZIP). A. Padgett Peterson, P.E. Cybernetic Psychophysicist We also walk dogs PGP 2.7 Public Key Available ------------------------------ Date: Wed, 16 Nov 94 12:59:31 -0500 From: misswt@leeds-metropolitan.ac.uk (Steve W. Taylor) Subject: FORM virus on Doublespaced Drives (PC) Has anyone had any experience of getting rid of the FORM virus on MSDOS 6.2 Doublespaced drives? Clean on NAV, DrSolomon etc. fails. Our only solution is to reformat. Help would be appreciated. ------------------------------ Date: Sun, 06 Nov 94 16:19:22 -0500 From: Nick FitzGerald Subject: Re: VCL?? (PC) Tripp@richmond.infi.net (Tripp Lewis) wrote: > > If, as seems from this, computer virus writing clubs have information > >exchanges at known email sites, then why can't these sites be traced and > >closed down? Can't the law act against them???? > > Close them down? Why? how the hell do you think all the av companies > can put 50-80 scan strings in their software per update? You think they > find them in the wild? Take another guess! Why should av software > companies be the only one to trade viruses among themselves? What about I'm sure AV s/w companies do benefit directly or indirectly from the activities of VX BBS'es, but "we" (the computer-using public) would benefit even more -if- they were closed down. Today the VX BBS'es are a source of incentive to the creation of several new viruses, mostly mindless minor variations on existing variants of the early, proven designs. Keeping up with this tide wastes much AV time that would (or at least could) probably be better spent on the real threat of keeping ahead of the occasional truly worrying "completely new" virus. > the private researcher in these "groups"? ... As this is more often than not a euphemism for "pimply, testosterone- charged teenager with dubious ethical standards", it is no wonder that VX BBS'es are the main places that they obtain material for their "research". > ... The law cannot do crap about > people who write and exchange viruses. Bzzztt--wrong. You display a peculiarly US view on this. Have you talked to the guy in the UK who was recently arrested for writing and distributing Queeg, etc? He's facing possibly six (or more?) years jail. Many other countries have similar laws to the UK and even the good old US-of-A is looking at clamping down harder on virus writing/writers/distribution. > FireCracker, NuKE I've asked Ken whether postings from people like this really should be accepted. +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Nick FitzGerald, PC Applications Consultant, CSC, Uni of Canterbury, N.Z. n.fitzgerald@csc.canterbury.ac.nz TEL:+64 3 364 2337, FAX:+64 3 364 2332 ------------------------------ Date: Tue, 15 Nov 94 01:39:52 -0500 From: todd@chinook.halcyon.com (Todd H. Bailey) Subject: Info on Teletype Virus (PC) Does any one have info on the teletype virus ? thnaks. ------------------------------ Date: Wed, 16 Nov 94 13:09:09 -0500 From: Zvi Netiv Subject: Re: AV Lab (PC) On 16 Nov 1994, randy combs wrote: > Hello, > I read about the AV lab in Virus-L. Has it been released yet? If so, > how can I obtain a copy? > Thank you for your time. > > Randy Combs, Ph.D. > West Texas A&M University Hello Randy, AVPL (the AV Practice Lab) v1.01 is available from my ftp: ftp.datasrv.co.il/user/netz/avpl101.zip You may also try InVircible's support ftp on netcom: ftp.netcom.com/pub/antivir/invircible/avpl101.zip You'll also find the latest freeware version of InVircible, in the same directory. Although AVPL is self contained, it may be informative to experiment having IV, side by side with your favorite AV package. I'll be interested in reading your comments on AVPL. Regards, Zvi Netiv, InVircible ------------------------------ Date: Wed, 16 Nov 94 13:15:24 -0500 From: dxs1417@cs.rit.edu (Grenadier) Subject: Re: NAV 3.0 updates ? (PC) dolson@shore.net (Don Olson) writes: >I still need to get NAV3.0 updates from Symantec, but nobody from Symantec >seemed interested in responding to my requests on C$ for an internet site >where they could be had. [...] >Is there a site that carries them thar updates?? Try ftp.symantec.com. I've gotten the last few updates from there. - -- "If I speak, I am condemned. David Stumme If I stay silent, I am DAMNED!" dxs1417@cs.rit.edu -- Jean Valjean, a.k.a. 24601 d.stumme@genie.geis.com "Les Miserables" ------------------------------ Date: Wed, 16 Nov 94 13:23:22 -0500 From: Zeppelin@ix.netcom.com (Mr. G) Subject: Re: invb601a.zip - The InVircible Anti-Virus Expert System v6.01A (PC) murphwar@pylon.com (Jeff Murphy) writes: > >I have uploaded to SimTel, the Coast to Coast Software Repository (tm), >(available by anonymous ftp from the primary mirror site OAK.Oakland.Edu >and its mirrors): > >SimTel/msdos/virus/ >invb601a.zip The InVircible Anti-Virus Expert System v6.01A > >InVircible is a sophisticated and effective anti-virus product. >InVircible is the only anti-virus package able to state that every single >virus in the three known virus classes (Boot Sector, FAT/Directory, >Executables) has been to date detected and removed -- a track record that >dates back to the Fall of 1990! InVircible implements a unique layered >approach consisting of several virus detection and removal programs >combined into an unparalled virus detection and removal system. Once >installed, InVircible can absolutely confirm the presence of viruses, >repair and remove virus infections, and make your system fully >operational with limited virus knowledge and limited time. Utilizing a >proprietary Adaptive Expert System, InVircible requires no updates to >remain effective, and provides the piece of mind desired in virus control >without the the loss of system performance experienced with most >TSR/Scanner AV packages. If high performance, lower costs, and total >security are what you demand from your AV package, InVircible is the one >to choose. > >Special requirements: None > >ShareWare. Uploaded by the U.S. Distributor. > >Jeff Murphy >murphwar@futursoft.win.net > > Jeff, there is a problem ! I have used TBAV for some time and have TBfile/TBcheck/TBmen active as TSR's. I went to SimTel and got your VI 601a and loaded it onto my system. Here is what happened. Tbav loads all it's TSR's and then IV starts up. At once, TBAV check stops the activity, and states that IV is trying to rename IV.EXE to IV.*%$, exactly like that. Now I did a complete setup with TBAV as to include the IV files. TBAV asks me if I want to stop the process. The first time I said NO, and then proceded to have to go through with the same process with EVERY file that IV wanted to look at. When I got all done, and IV was finished, my system halted and I was informed that my system could not find the Command.com ??? So I directed it to dos where I keep a second copy, but it was gone also. I then booted from a clean floopy and went into Norton Commander. Here is what I found. All .exe files had been renamed, and changed to a 6 byte file. Dos was filled with these. These 6 byte files had Stoned like extensions, such as #_^, and so on. I had to do a complete backup of ALL my .exe's and do a SYS c: to get back online. What I have done since IS, run IV from the begining of Autoexec.bat, then TBAV about 5 lines later. I refuse to give up TBAV, but I like your sytem of file integrity. ANY IDEA WHAT THE PLUCK HAPPENED ? -Zep- ------------------------------ Date: Wed, 16 Nov 94 14:44:29 -0500 From: templeto@toadflax.cs.ucdavis.edu (Scot P. Templeton) Subject: Re: Need Help with Stoned Virus (PC) Nick FitzGerald (n.fitzgerald@cantva.canterbury.ac.nz) wrote: : enniaun@delphi.com opined: : > You hit that on one the head. He should use the McAfee (or similar) 'CLEAN' : > program. Stoned it very easy to remove with it. Be sure to 'clean' EVERY : > bootable floppy you've got. : ^^^^^^^^ : Bzzzt--thank you for playing, and collect your "Misleading post of the : day" banner on your way out. : What Ennuian meant to say was: : Be sure to clean EVERY, EVERY, EVERY floppy you have. : This cannot be overstressed. In the PC world there is no such thing as : "a bootable floppy" because the structure of English suggests that such : a concept means there -is- such a thing as a "non-bootable floppy". I had the Michael Angelo (sp?) virus a few years ago (when the big media scare sent everyone searching for help). I had gone throught every disk I owned, most of which were "non-bootable" (eg. no DOS). I found roughtly 70% of my disks were also infected. Let my first hand knowledge enlighten those who still do not believe. - -- / \ University of California / \ /\ Davis | |_| /\ /\ _||_ \ \ ||- |/\| |_ _| Department of Computer Science | | | || |||| || Graduate Studies \ / ||- |\/| || \ / \/ \/ \/ templeto@cs.ucdavis.edu ------------------------------ Date: Wed, 16 Nov 94 14:50:57 -0500 From: hsub@watserv.ucr.edu (Barnett C Hsu) Subject: Re: NAV 3.0 updates ? (PC) Don Olson (dolson@shore.net) wrote: > I still need to get NAV3.0 updates from Symantec, but nobody from Symantec > seemed interested in responding to my requests on C$ for an internet site > where they could be had. > Is there a site that carries them thar updates?? Symantec does have an Internet site. Virus updates can be had from ftp.symantec.com in the directory "/pub/antivirus/nav/nav3.0" (without quotes of course) - -- Barnett C. Hsu barnett@cs.ucr.edu OR hsub@watmail.ucr.edu Computer Science Dept. at University of California, Riverside ------------------------------ Date: Wed, 16 Nov 94 14:53:45 -0500 From: todd@halcyon.halcyon.com (Todd H. Bailey) Subject: Re: Telecom virus (PC) Are you sure it's the telecom virus and not the teletype virus? I am currently in need of information on the teletype virus. The Packetman (dnorman@av8r.dwc.edu) wrote: : My friend is currently wrestling with the Telecom virus(maybe). While : formatting his hard drive, the computer tells him that there is a : possible virus. After continuing with the format, we ran f-prot and : it returned saying that the telecom virus was present in memory. We : then performed a clean boot and ran f-prot again. This time f-prot : said the computer was clean. Just to make sure he tried to format the : drive again, but the same virus message appeared. We have gone : through the cycle of running f-prot and numerous other anti-virus : programs but the virus hasn't showed up except for the first time, : although the "possible VIRUS" message always appears when he tries to : format the drive. Could anyone who has any ideas or knowledge about : the Telecom virus please help us. Thanks. ------------------------------ Date: Wed, 16 Nov 94 15:29:02 -0500 From: kief@utk.edu (Kief Morris) Subject: Re: "The Tojo Virus" by Randall (PC) "Rob Slade, Ed. DECrypt & ComNet, 604-984-4067" The plan is to introduce a virus into the (mainframe) email system. I think. >(There is an awful lot of extraneous detail.) The email, whether read or not, >Ragged plot, inconsistent characters, enough tech to fool those who know even >less than Randall. This sounds like a book I mentioned on alt.folklore.computers last week. Called "Hard Drive", I think the author's name is something like David Pogue, it's about a Mac virus. In the book, Mac emulators somehow convert the virus to native code and cause it to spread even to machines without the emulation. Of course this produces horrible consequences of international proportion. Several characters are professional computer programmers who are profoundly computer illiterate. Basically, it seems like the author's research consisted of talking to Mac computer hobbyists for background. As I recall, the author is supposedly a professional writer for one of the Mac magazines, but I find it hard to believe. Kief ------------------------------ Date: Wed, 16 Nov 94 15:38:16 -0500 From: eugkogan@aol.com (Eug Kogan) Subject: Virus-Made Directories (PC) The virus I just had made about 75 directories that strange ascii characters in their names. Is there any way I can delete them? I've tried dos, windows file manager, and a few other such programs, none were able to access there dirs. - -Eug- ------------------------------ Date: Wed, 16 Nov 94 16:07:53 -0500 From: "Dana R. Billig" Subject: Re: GenB virus alert (PC) On 15 Nov 1994, Michel Carbon wrote: > I have avirus : GenB. > I have detected it with scan117, on a floppy disk. > how can I eradicate it , on my floppy disk? > If there is a cleaner for that, where can I have it? > Thanks in advance. > Michel I had the same problem yesterday. I use Tbav, and it detected what it called the Newbug [genb] virus, on my roommates disk. Anyhow, I used McAfee's Clean117 to clean the disk, which when scaned afterword appeared clean. This virus does stay memory resident, and he picked it off a university computer. A cold boot should always be used when a computer you use is left on. It may work to eliminate it from memory. Hopefully it is not on the hardrive. The convention was Clean a: newbug [genb] Clean117 is available at ftp oak.oakland.edu in the SimTel\virus directory I think. Dana Billig drbill@planetx.bloomu.edu ------------------------------ Date: Wed, 16 Nov 94 16:46:05 -0500 From: Nick FitzGerald Subject: Re: Vacsina v 5 ?!? Info wanted!!! (PC) G.F.Vocking@kub.nl (VOCKING G.F.) wrote: > Today we encountered the Vacsina virus (v5) on our WAN... > All in all it has temporarily infected over 2000 PC's I guess, > since it klung to MAP.EXE in the SYS:PUBLIC directory of over > 20 Novell Fileservers... > > After this day of hard and boring work to get rid of it, we wonder: > 1. What does it do anyway ? > 2. How come it infects files and gets away with it (since some > virusscanners recognize the loader of Vacsina but not other > files which have been changed by it!?) ? > 3. Recommendations for (better) virusshields are wanted ! I'd say you have a --MUCH-- bigger worry than --any-- of the above, and that you have to address it --first--. Why are your servers so badly configured and managed that a commonly used executable in a publicly accessible directory --EVER-- got infected?? This should not be able to happen on --one-- well-run NetWare server, let alone spread across more than 20 of them on the same LAN! Never!! Either you have poorly set up rights and/or file/dirctory restrictions, too many "supervisor equivalent" usercodes, "unreliable" people as supervisors, or a directed attack. (Given the scale of the infection, I'd say probably either the latter or a combination of the former.) Until you resolve the issues that -allowed- an infection of this scale to occur, I'd say you have little chance of disinfecting and staying "clean" for long. +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Nick FitzGerald, PC Applications Consultant, CSC, Uni of Canterbury, N.Z. n.fitzgerald@csc.canterbury.ac.nz TEL:+64 3 364 2337, FAX:+64 3 364 2332 ------------------------------ Date: Wed, 16 Nov 94 18:12:44 -0500 From: aswNS@hamp.hampshire.edu (Albert S Woodhull) Subject: Trident virus info? (PC) In a recent visit to a university in Nicaragua I found that they were having persistent infections of a virus that McAffee SCAN v. 117 detects and identifies as Trident. Other anti-virus tools on hand may have been out of date, in any case they (CPAV and MS-DOS AV) did not detect it. It seems to change the size of files, but hides the change when active, and it caused problems with various programs crashing. It seemed to recur even when all infected files were removed, although rewriting the MBR may have eliminated it. Can someone mail me some information about this virus? Albert S. Woodhull, Hampshire College, Amherst, MA awoodhull@hamp.hampshire.edu ------------------------------ Date: Wed, 16 Nov 94 20:05:26 -0500 From: barclae@gov.on.ca (Elizabeth Barclay) Subject: MSAV / F-Prot comparison (PC) Does anyone have any information comparing the performance of MSAV vs. F-Prot? ------------------------------ Date: Wed, 16 Nov 94 22:23:03 -0500 From: gandalf@pipeline.com (Tom Neumann) Subject: Best form of Virus Protection? (PC) In comp.virus lakhani@wharton.upenn.edu said: >Does anyone know what the best virus protection available is? Here is a defense method that I have complete confidence in, A-for downloading and decompressing files use a shell such as shez or winzip with mcafees scan 1.17, always use the shell to scan the file immediately after download. B-Run F-Prot once a week and when installing new commercial software. C-Run TBAV or Integrity Master every other week. This regimen should keep you safe, one more step might be to run Fprot's TSR at boot-up but I have encountered many problems with various anti-virus tsr's. This is for a system with only one user, you might do these things more often on a machine used by several people. - -- ------------------------------ Date: Wed, 16 Nov 94 22:24:03 -0500 From: ns47@unlinfo.unl.edu (class account) Subject: Re: PC drops out of Windows. Virus? (PC) Terru (terru@aol.com) wrote: : MS Anti-virus doesn't find anything. Is this a new virus? If so, how can windows - go figure. I'm suprised that MS AV didnt find anything. You would figure that the brains at Microshaft would at least try to make the bugs in their software look like a virus when they dont have the time of day to fix it ;) ------------------------------ Date: Wed, 16 Nov 94 22:40:49 -0500 From: ns47@unlinfo.unl.edu (class account) Subject: Re: Mouse ports (PC) [Moderator's note: Follow-ups via direct e-mail (not on this list), please.] ANTHONY APPLEYARD (A.APPLEYARD@fs1.mt.umist.ac.uk) wrote: : I am sorry to waste bandwidth with a matter not directly related to viruses, : but: since much in viruses and antivirals is concerned with reading and : writing to things directly, perhaps someone might know something that I have : looked for in vain through infinity big comprehensive-looking PC books: what : port reads and writes would I need to access an ordinary serial Microsoft-type : mouse directly by port reads and writes, bypassing the int33 interrupts and : the usual mouse handlers? : It seems that it should be fairly easy: detect a unit movement in each : direction; detect if each button is up or down. it should be the same as COM1: one time I figured out how to do it from quick basic using the INP (or something like that) function I also figured out the codes for the buttons, It is rather interesting, apparently the codes that indicate what the mouse is doing is a variable-byte sequence, the first byte indicates the direction of the mouse and the status of the buttons(I guess it also indicates if there are more bytes to follow), and the rest of the bytes contain the distance traveld. It is easyest if you are going to try to decode the signal to display the byte sequence graphically like this: 1's a b b b b a a b b b 2's b b b b a a b a b a 4's a a a a a a a b a b ------------------------------ Date: Thu, 17 Nov 94 00:39:56 -0500 From: Zvi Netiv Subject: Re: AV lab (PC) Hello David, On Wed, 16 Nov 1994, Dr. David B Hull wrote: > As an consultant and professor of computer science > specializing in computer viruses and security I would > be very interested in getting a copy of your AV lab. > There are, as I am sure you know, other similar products > available. But, they have had a poor reception by the > Anti-virus community - particularly by Vess. > Thanks I followed the thread about Doren's simulator between you and Vesselin. I think Vesselin made a few valid points, especially about that the simulator can test at the most the susceptibility of an AV product to false positives. All the above This is to tell you that the new AVPL is anything _the other products are NOT!_ Just the same as InVircible, my AV product, is totally different from classic AV. :-) AVPL was recently released and you can get a copy from either ftp.netcom.com/pub/antivir/invircible/avpl101.zip or from my ftp ftp.datasrv.co.il/user/netz/avpl101.zip I would suggest that you have a look at InVircible as well, invb601a.zip, in the same directories as the above. I'll be curious to have your opinion on both products after you look at them. Thanks for asking, Zvi Netiv, InVircible ------------------------------ Date: Thu, 17 Nov 94 01:05:24 -0500 From: Zvi Netiv Subject: RE: invb601a.zip - The InVircible Anti-Virus Expert System v6.01A (PC) On Wed, 16 Nov 1994, Douglas W. Jones wrote: > I am currently using IV in unregistered mode. I think it is an > amazing piece of software and a fantastic concept - like a > computer "immune system". Well done, Zvi! Thanks Doug. > 1) What changed between 6.01 and 6.01a? Jeff - would have been > nice if you'd included this info in your post; Zvi it would be > helpful to have a "changes.txt" in the zip perhaps. Well, you are right! I'll add a WHATSNEW file with the next revisions. Unlike traditional AV software, InVircible does not have "updates", as scanning is not its purpose, but revisions or enhancements, if you like. The major one in 6.01A is the addition of new features to take care of the new large capacity IDE drives. Western Digital just threw to the market the 1 gbyte drive with the dynamic boot XBIOS driver from Ontrack. To my total surprise, the driver uses a technology that I saw before only with stealth boot viruses. This does not mean that the driver is a virus, not at all, but it needed to look carefully at all the low level routines, incorporated in an AV product. Quite many may be surprised when viruses like Monkey hit such disk. Western Digital and Ontrack made allowance only to Michelangelo, Stoned and No-INT by leaving sector 0,0,7 vacant. All the rest are occupied by the booting driver code (from 2 to 6, Monkey overwrites 3!). :-) Rev 6.01A covers it all, and I may say that IV is probably now the only product that is aware of this mew technology. The implications are important to all "disk rescue" utilities, not only to AV! I wrote a note on the subject and posted it to Virus-L, a week ago, but I didn't see it yet in the digests. Maybe in the next. > Thanks, and keep up the great work! I'll try. :-) Regards, Zvi Netiv, InVircible ------------------------------ Date: Thu, 17 Nov 94 01:14:20 -0500 From: "Frans Veldman" Subject: Help! Filler, GenB, GenP viruses (PC) achwong@hkusub.hku.hk (Albert C. H. Wong) writes: > I really do not have any idea on how to remove Filler/GenB/GenP viruses > from my PC. It is a mysterious matter. When just started my PC, I used > Virusscan v117 to scan viruses and there was no discovery. However, > when checking for viruses the second time using Virusscan v117 again, > the viruses came out. Then, all I could do was to reboot my PC with a > clean Virusscan floppy disk. However, there was still no discovery even > I checked it several times. The viruses could only be detected again > after I ran some programs from my fixed drives. But I was unable to > clean them. Then, I used a newer version of Virusscan (v212) for virus > checking. But nothing can be detected anymore. They cannot be detected > also by using Thunderbyte Anti-virus utilities. There are no viruses. This is an excellent example why memory scanning (Iolo Davidson watch out!) is a bad idea. What happened is that the first time you use the scanner you also load its signatures in memory. When you run the scanner again, the signatures from the first time are still floating around in memory, and Scan detects its own signatures. Another possibility is that you load CPAV in memory, it also contains signatures, and these signatures are detected by SCAN. Once again, memory scanning causes more confusion than it solves. - -- Thunderbye, Frans Veldman <*** PGP 2.3 public key available on request ***> Frans Veldman Phone (ESaSS) + 31 - 80 787 881 veldman@esass.iaf.nl Fax (ESaSS) + 31 - 80 789 186 2:280/200.0@fidonet Fax (VirLab) + 31 - 59 182 714 ------------------------------ Date: Thu, 17 Nov 94 02:24:21 -0500 From: whorne@Libris.Public.Lib.GA.US (William K. Horne) Subject: Re: GenB virus alert (PC) Michel.Carbon@univ-lille1.fr (Michel Carbon) writes: >From: Michel.Carbon@univ-lille1.fr (Michel Carbon) >Subject: GenB virus alert (PC) >Date: 15 Nov 1994 17:41:24 -0000 >I have avirus : GenB. >I have detected it with scan117, on a floppy disk. >how can I eradicate it , on my floppy disk? >If there is a cleaner for that, where can I have it? >Thanks in advance. >Michel clean 117 clean a: [Genb] And once you've done that, scan it again - you might then find GenP. Then: clean a: [Genp] bill h ------------------------------ Date: Thu, 17 Nov 94 02:34:05 -0500 From: brette@wam.umd.edu (Brett Moseley) Subject: Protection... (PC) Help... I am a student a U of Maryland and I am looking for a good secure system... I understand that no system is perfect and that a good system has several layers of protection... I was wondering what good protection is on a limited budget, often running windows, on a 386-40,... What type of scanners, memory resident proection and validation codes do I need... How often should I run scanners and how often do I need to update and where do I find updates... This is kindof a crucial question since my friends are dropping like flies... You can mail me at brette@wam.umd.edu - -Thanx in advance - -Brett- ------------------------------ Date: Thu, 17 Nov 94 03:36:25 -0500 From: frisk@complex.is (Fridrik Skulason) Subject: Re: NCSA hasn't heard of Viking virus (PC) rsb5c@virginia.edu (Richard Bondi) writes: >The Subject is overly provocative. I read a bit about NCSA, and they told me >stuff about ANTICMOS that McAfee didn't tell me, so I assumed what I had read >was true: that they have a database of all viruses NOBODY has a complete collection of all viruses. I guess the biggest collections only contain around 5000 viruses, though. >and are used as a central resource by all virus fighters. Nonsense. >If they've not heard of Viking, it can't be true. Is it true of anyone, and if >so, of whom? Well, there simply *is* no central resource ... just a lot of compamies that may or may not cooperate with each other. As for the Viking viruses, I know that quite a few virus scanners detect it: F-PROT, DSAVTK and AVP at least... I don't check other products regularly myself. - -frisk Fridrik Skulason Frisk Software International phone: +354-1-617273 Author of F-PROT E-mail: frisk@complex.is fax: +354-1-617274 ------------------------------ Date: Thu, 17 Nov 94 03:39:58 -0500 From: u643230@csi.UOttawa.CA (Souheil I.) Subject: HELP: Writing an anti-virus (PC) Hi to all, I'm curently writing a small anti-virus (TSR) for a variant of Bad-Brains COM infector virus. Until now I can tell if a file called by the DOS EXEC function is infected or not. What should I do next to prevent access to this file even in a debbuger ??? Thank you in advance. u643230@csi.uottawa.ca ------------------------------ Date: Wed, 16 Nov 94 15:48:03 -0700 From: Ed Faulk Subject: Re: Anti-CMOS Virus Infection - HELP! (PC) writes: . snip ... > A simpler way is to install FRONTLINE. This is a very new product and > much thought and effort was put in to make it work for all forms of > boot/partition viruses. Just install into your hard disk and on boot up, > if a boot virus exists, it will prompt you to remove it. All you need is > just to type Y. No special training is required for your users. It is > fortunate that the virus you encounter is a simple one. There are many > cases when FDISK /MBR does not work. FRONTLINE will work and it work by > booting up from the very hard disk that is infected. FRONTLINE can > remove the virus even from an infected hard and stealth ones too. Since you are really pushing this product, perhaps you'll be kind enough to answer a few questions. Most products that "protect" the boot sector do so by copying the sector and then comparing them. There are times when the boot sector is SUPPOSED to change (new version of operating system, repartion the drive, etc.). Does you product detect that as a virus, or do you know that the format change was valid? Ed ------------------------------ Date: Thu, 17 Nov 94 08:15:10 -0500 From: magus@netcom.com (Magus) Subject: Re: DOOM II (PC) Jimmy Kuo wrote: >DOOM II is distributed in a shareware package. >I believe there have been at least 3 separate incidents of DOOM II packages >being infected and redistributed. I am not familiar with how DOOM II is >packaged. I wish they would have had some built-in self-checks to prevent >this type of attack. With all due deference... DOOM 2 is not distributed in a shareware package. The first third of DOOM is distributed as shareware but DOOM 2 is a complete commercial release. As a side note I am not aware of many commercial packages that do self checks on start up to "prevent this type of attack". I have seen a few but not many. Cheers John Schmid - -- John Schmid Internet: magus@netcom.com Finger for PGP key "Truth is what remains when all illusions have been stripped away." Suenteus Po ------------------------------ Date: Thu, 17 Nov 94 08:44:06 -0500 From: bambi@informatik.uni-wuerzburg.de (Stefan K. Bamberger) Subject: help! virus on Nov.15th ??? (PC) Hi, today, my friend told me that all three PCs in their institute didn't boot at tuesday 15th november with the message like " can't find drive C: " this seems to look like a virus.... One of the PCs could be reanimated with norton disk doctor - the partition table was refreshed. After reanimation the SCAN V9.2 didn't find any virus ..... With the other PC NDD didn't find the drive at all. So my questions: Does anybody know, if there exists a virus which gets active at 15th november and has that kind of appearance? Does anybody know how to get rid of it? If not, is there another way to get access to the drive again, without reformatting it? Which options will be best with format to be sure to delete a possible master boot sector virus etc.?? As I know the drive information in the setup are correct. So, that's not the problem. thanks for any hints, - - stefan _____________________________________________________________________ *** Support bacteria -- it's the only culture some people have! **** _____________________________________________________________________ Stefan K. Bamberger email: bambi@informatik.uni-wuerzburg.de Lehrstuhl fuer Informatik VI Universitaet Wuerzburg voice : ++49 931 7056114 Allesgrundweg 12 Fax : ++49 931 7056120 97218 Gerbrunn / Germany _____________________________________________________________________ ------------------------------ Date: Thu, 17 Nov 94 09:30:19 -0500 From: Mike Ramey Subject: NATAS Virus Alert! (PC) [Moderator's note: The attached note was forwarded multiple times before being submitted to comp.virus. Although I have no reason to doubt its validity, I don't have any reason to _trust_ its validity either. Caveat emptor.] >Date: Tue, 15 Nov 1994 20:07:19 -0500 >From: Randle Berlin >Subject: Virus Alert > >******************************************* >******************************************* >** ** >** V I R U S A L E R T ! ! ! ** >** ** >******************************************* >******************************************* > > >At First Saturday Sale in downtown Dallas, there was a vendor handing >out floppy disks to demo his services. Unknown to the vendor these >disks were infected with the Natas Virus (in the INSTALL.EXE file.) This >is a fairly nasty poly-morphic virus that *can* trash your hard drive. >It does varying degrees of damage, with a complete crash in roughly >1 out of 500 hard drives. The demo program was only completed 4 days >ago, but SO FAR, there have been 3 crashed systems and one infected >network. With several hundred additional demo disks now in >circulation.... the potential is pretty scary. > >The free demo disks were 3.5" black floppies with the word "WIN" in >large letters from Winner's International Network. > >Please pass this message around, this could be a nasty problem. >The vendor has handed out over TWO THOUSAND disks total, and the virus >is probably wide spread in the DFW community by now. > >The virus is polymorphic, uses complex stealth routines, has some tricky >code in it, plus remains memory resident. It kicks almost *EVERY* flag >in TBSCAN's heuristic mode. > >NATAS is very new, and is not recognizable by SCAN, MICROSOFT ANTI- >VIRUS, and CENTRAL POINT. Only F-PROT, TBAV, and AVPRO can find it. > >If you have the virus already, it goes memory resident, and uses heavy >polymorphic code to avoid detection. Chances are, if you're already >infected, virus scanner *might* not find it. Boot from a clean floppy >containinq a anti-virus scanner, and scan all your drives. > >The disk containing the virus has a INSTALL.EXE, which is the infected >file. > >This has been verified and is NOT a joke! Scan EVERYTHING you upload or >download from any bbs, or get from any disk! ------------------------------ Date: Thu, 17 Nov 94 10:37:00 -0500 From: Mike Ramey Subject: Re: Virus Alert -- NATAS. (PC) Thanks to all of you for passing this information on. It is especially helpful when you include geographic information, even tho' viruses can travel very quickly over the net. It also helps if you include a version number when referring to specific anti-virus programs; F-PROT 2.13a lists 2 forms of the Natas virus in its VIRLIST.LIS file, and version 2.15 lists 5 forms of the virus. I did not download version 2.14. Yes, F-PROT 2.15 is available (tho' I have not seen any announcement from Frisk yet on the comp.virus newsgroup). You can get it by anonymous ftp from OAK.Oakland.Edu, directory SimTel/msdos/virus/, file fp-215.zip, dated Nov-14. I hope you are all reading (and posting to) the moderated comp.virus newsgroup. Because it is moderated, there may be a slight delay in distribution of messages. It is an excellent source of virus information. I have forwarded this alert to the moderator of the comp.virus group so others will be aware of it also. Thanks again for the warning! -mr - ----- Excerpts from original message ----- >Passing this along especially for anybody in the Dallas Ft. Worth area: >At First Saturday Sale in downtown Dallas, there was a vendor handing >out floppy disks to demo his services. Unknown to the vendor these >disks were infected with the Natas Virus (in the INSTALL.EXE file.) ... >(PS: Keep those virus checking programs up-to-date!!) >NATAS is very new, and is not recognizable by SCAN, MICROSOFT ANTI- >VIRUS, and CENTRAL POINT. Only F-PROT, TBAV, and AVPRO can find it. ------------------------------ Date: Thu, 17 Nov 94 14:02:33 -0500 From: eedraq@chapelle.eed.ericsson.se (Raphael Quinet) Subject: Re: DOOM II (PC) cjkuo@symantec.com (Jimmy Kuo) writes: |> Steve Midgley writes: |> >I'm not going to say that doom ii is a 'bad' program, but it doesn't |> >INHERENTLY have any more to do with viruses than Word Perfect 6.0. |> >It's just a game. |> |> DOOM II is distributed in a shareware package. |> Wrong! Doom 1 was shareware, but Doom II is a commercial program. There is no shareware version of Doom II. |> I believe there have been at least 3 separate incidents of DOOM II packages |> being infected and redistributed. I am not familiar with how DOOM II is |> packaged. I wish they would have had some built-in self-checks to prevent |> this type of attack. |> Doom II was released on Oct 10th, but a nasty pirate managed to steal a copy before that date. This leaked copy was ditributed all over the world. (Un)fortunately, several copies got infected by viruses and were copied by hundreds (thousands?) of people. If you have Doom II version 1.666 and you got it "from a friend", there is a fair chance that you got a virus as a bonus... If you bought it, you should normally have Doom II version 1.7, which is the latest one. The copies sold in the shops or distributed directly by GT Interactive are virus-free. GT Interactive distributed some 1.666 copies to registered users of Doom 1. These copies are safe too. - -Raphael - -- +---------------------------------------------------------------------------+ | Finger: finger quinet@finger.montefiore.ulg.ac.be for some useless info. | | Mosaic: http://www.montefiore.ulg.ac.be/~quinet (NEW: preview of DEU 5.3) | | E-mail: eedraq@chapelle.ericsson.se or quinet@montefiore.ulg.ac.be | | S-mail: Raphael Quinet, 9 rue des Martyrs, 4550 Nandrin (Belgium) | | or: Raphael Quinet, Kapuzinergraben 2, 52062 Aachen (Germany) | | --* Send your questions about DEU to: Deu_Help@boblab1.bobst.nyu.edu *-- | +---------------------------------------------------------------------------+ ------------------------------ Date: Thu, 17 Nov 94 17:22:00 -0500 From: kloeppej@ccmail.orst.edu (John Kloepper) Subject: Network Antivirus NLM's / need advise (PC) We are currently looking into antivirus NLM's to run on our Novell servers. To date all i've been able to find is netshld from McAfee. Can any one provide information on other options or an opinion on netshld? ------------------------------ Date: Thu, 17 Nov 94 17:31:58 -0500 From: Iolo Davidson Subject: memory scanning (PC) rc.casas@ix.netcom.com "Robert Casas" writes: > I, for one, agree completely with Frans Veldman's position. > A journalist's reporting is misleading and uninformative when > she/he evaluates an issue ( or a product ) without regard for the > conceptual and historical context of the issue discussed. The SECURE Computing article had full regard for the *issues* in all their aspects. What it did not do was accept Thunderbytes excuses for the fact that it did not cope with memory resident viruses, neither by finding them in memory (as the other products did, with greater or lesser effectiveness) nor by employing its own, new wave, different, don't-tell-ME-how-to-find-viruses way of working. Nevertheless, these excuses were published, as part of the context. > When reporting an issue without benefit of such "context" Full "context" was published, both of the issues and Thunderbyte's excuses, including their claim that the next version would remedy the lack of memory scanning. Veldman's complaint made it plain that he had not even seen the last two pages of the review which covered these aspects. > the article becomes a vehicle > for expression of the author's bias and "pique" > to use your own word. I was not the author of the article, nor the person who performed the tests. The persons concerned have no bias against any software producer, and simply reported their findings, which findings Veldman has not contested. My "pique" was aroused by Veldman's public attack on my professionalism and has nothing to do with the article, the tests, or Veldman's product. > It would appear to me that your position > is a reflection of the changed "ethic" underlying journalism > over the past few decades as media sensationalism and issue > advocacy have increasingly taken the place of objective reporting. You could not be further off base. This was a group test of an important aspect of anti-virus software in a subscription only professional journal. It is obvious from your comments that you have not seen the article concerned. Accusations of "bias" from someone who has not even seen the material he claims to be biased are entirely bogus. > The _only_ fair way to objectively report the limits of TBAV is > to do so in the context of explaining what TBAV is, or is not, > designed to do. Your failure to see this reflects your "ethic" > of reporting which I consider, at best, "immature." You are still confused. I did not write the article or perform the tests. You cannot review the article based on my reaction to being libelled in this newsgroup. Furthermore, the Thunderbyte position on memory scanning *was* put in the article. Veldman just didn't notice it was there (but I pointed it out in my reply, which *you* have not noticed). And further to that, whatever Thunderbyte is designed to do, the actual performance under test conditions showed that it did not cope sensibly with viruses in memory. Whether you think this is a failure in the design, or in the performance, is somewhat academic. > I am not > in the least interested in what "the journalist thinks relevant." > Material guided by this motive belongs on an editorial page. > It does _not_ belong in an article that purports to be "objective." And the UK government does not think a press investigation into ministers accepting backhanders is relevant, either. When designing technical tests, we have to use our own expert judgement as to what aspects to include in the testing. And we *are* experts in this field. We cannot allow the software producers to dictate test conditions, because they will all want us to test the things they are good at and ignore the areas in which they perform poorly, leading to different test conditions for each product. There were ten products in this test. We explained all the technical details of how the tests were conducted in the article. The tests were then conducted on an entirely objective basis, and the results are not editorial opinion, but fact. The editor of SECURE Computing stands by the review. (However, he does not sanction my arguing of the issues in this newsgroup- I am speaking for myself here, and not for SECURE Computing) > Since you were conducting a review of different AV products the > value and importance of "context" assumes an even greater didactic > and factual importance. Once again, the context was fully covered, including Thunderbyte's excuses. > Many AV products do _not_ share the same > conceptual assumptions regarding the best methods for dealing with > viruses. Of course. This had no effect on the tests. They showed that Thunderbyte did not find viruses in memory, which was true. SC published Thunderbyte's claim that it did not need to do so because of the way it worked, in the article. SC also pointed out that regardless of this claim, Thunderbyte crashed when some of the test viruses were resident in memory. > A clear expalanation of these differences would have been > valuable and quite informative. Reporting your "tests" against the > background of such conceptual differences in approach to Av would > have served your readers well. It would have made your task as > a reporter more complex....but it would have educated and informed > your readers. Read the article. All of the stuff you would have praised SECURE Computing for above is in fact in the piece. > The rest of your post does not deserve reply. After all, you state, > "And since you have libeled me, I omit your excuses from this > reply in a fit of pique." Since the remainder of your reply is > motivated by "pique" I will ignore it as such. The "pique" was entirely as a result of Veldman's libel of me and has no relevance to the article in question, but I am happy that you found it an excuse to leave off your stream of baseless accusations about something you have not even seen. - -- HENRY THE EIGHTH BUT KEPT PRINCE OF FRISKERS HIS WHISKERS LOST FIVE WIVES Burma Shave ------------------------------ Date: Mon, 14 Nov 94 20:23:24 -0500 From: frisk@complex.is (Fridrik Skulason) Subject: fp-215.zip - Version 2.15 of the F-PROT anti-virus program. (PC) I have uploaded to SimTel, the Coast to Coast Software Repository (tm), (available by anonymous ftp from the primary mirror site OAK.Oakland.Edu and its mirrors): SimTel/msdos/virus/ fp-215.zip Version 2.15 of the F-PROT anti-virus program This version adds detection of over 250 new viruses, bringing the total to 4839. - -frisk Fridrik Skulason Frisk Software International phone: +354-1-617273 Author of F-PROT E-mail: frisk@complex.is fax: +354-1-617274 ------------------------------ Date: Mon, 14 Nov 94 20:23:27 -0500 From: Mikko.Hypponen@wavu.elma.fi (Mikko Hypponen) Subject: bull-215.zip - ASCII-version of F-PROT 2.15 Update Bulletin (PC) I have uploaded to SimTel, the Coast to Coast Software Repository (tm), (available by anonymous ftp from the primary mirror site OAK.Oakland.Edu and its mirrors): SimTel/msdos/virus/ bull-215.zip ASCII-version of F-PROT 2.15 Update Bulletin ASCII-version of the F-PROT Professional 2.15 Update Bulletin. F-PROT Update Bulletins contain information about the current virus situation globally. Every time a new version of F-PROT Professional is published, it is accompanied with a new Update Bulletin. Bulletins are published on paper in A5 format. Update Bulletins are published by Data Fellows Ltd of Helsinki, Finland. Data Fellows Ltd is the publisher of F-PROT Professional Anti-Virus Program in Scandinavia, Asia, Africa and most of Europe. They can be reached via e-mail at f-prot@datafellows.fi Articles in this issue of the Update Bulletin ============================================= Data Fellows' Experts Abroad The Global Virus Situation - Die_Hard - LZR - One_Half - Bye - 3APA3A The Virus Bulletin Conference '94 Retroviruses - how viruses fight back F-PROT support informs: Common Questions and Answers Changes in Version 2.15 New Viruses Detected by F-PROT 2.15 Uploaded by a member of the F-PROT Professional Support Team. Mikko Hypponen // mikko.hypponen@datafellows.fi // Finland Data Fellows Ltd's F-PROT Professional Support: f-prot@datafellows.fi ===> DF is moving - our mail address and phone numbers are changing <=== ------------------------------ End of VIRUS-L Digest [Volume 7 Issue 96] *****************************************