VIRUS-L Digest Tuesday, 20 Dec 1994 Volume 7 : Issue 100 Today's Topics: "Tekroids" episode of Tekwar and the perception of viri Tech Report on Virus fighting through Biological Processes Re: Viruses in newsgroups - how can that be? Re: What's a Logic Bomb ? Promising signs in disk duplication CVIA and the antiviral "industry" at large Virus reporting procedures and rumor control Re: OS/2 Virus Susceptability? (OS/2) OS/2 Virus? (OS/2) Re: Mainframe Viruses? (IBM VM/CMS/etc) Help me: virus, whisper. (PC) Questions about viruses: (PC) New virus reported in China: `Li Peng' (PC) Virus Alert For INACOM Notebook Computers (PC) Re: invb601a.zip - The InVircible Anti-Virus Expert System v6.01A (PC) Re: FORM virus on Doublespaced Drives (PC) Ack! My Keyboard gets remapped. Help! (PC) Re: Virus Alert -- NATAS. (PC) Re: Anti-CMOS Virus Infection - HELP! (PC) DOOM game messages (PC) Mr. Ed Virus (PC) Re: FORM virus on Doublespaced Drives (PC) Need info on Cansu virus (PC) Stelth_C 2? (PC) RM virus (PC) Re: VCL?? (PC) Re: monkey virus (PC) Re: master boot record viruses (PC) Cure of Die Hard ? (PC) Any Sophos Internet sites around??? (PC) Re: help! virus on Nov.15th ??? (PC) Re: MSAV / F-Prot comparison (PC) Re: Telecom virus (PC) Re: Trident virus info? (PC) Virus modifying CHKLIST.CPS/.MS? (PC) Memory Scanning (v-l 7.096) (PC) Re: solomons causes GPF's & slows program loads (PC) Re: Network Antivirus NLM's / need advise (PC) HELP: InVircible CMOS Error ? (PC) InVircible is invasive??? Problem?? DA'BOYS Virus (PC) Re: Virus named Jack Ripper (PC) Re: Need Help with Stoned Virus (PC) What Genb etc is (PC) RE:FLU-SHOT (PC) Re: Happy birthday PC Virus. Please Help! (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CORSA.UCR.EDU (IP number 138.23.166.133) or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CORSA.UCR.EDU. Administrative mail (e.g., comments, suggestions, beer recipes) should be sent to me at: krvw@ASSIST.MIL. All submissions should be sent to: VIRUS-L@Lehigh.edu. Ken van Wyk ---------------------------------------------------------------------- Date: Sat, 03 Dec 94 19:23:53 -0500 From: "Rob Slade, Social Convener to the Net" Subject: "Tekroids" episode of Tekwar and the perception of viri TVTEKWAR.RVW 941201 Bill Shatner has been reading "Snow Crash" (cf BKSNCRSH.RVW)! In tonight's episode of Tekwar, we find that police detectives, and the hero's ex-wife, have been felled by a nasty virus. A *computer* virus. Call the Weekly World News. Shatner is *much* more ambitious than Stephenson. The "Snow Crash" virus, in graphical representation, looked pretty much as you'd expect--snow! The Tekwar virus looks like a young lady. (When she starts to open her blouse, you get just a hint of circuitry and bright light. Hubba, hubba!) Oh, come now, Rob. Don't be a spoil sport. They can make programs that look like text, can't they? So why can't they make programs that look like pictures? Well, it is true that I have copies of the BOO programs, which are utilities for converting binary files into a format that was only printable characters. I understand that there is an MS-DOS program, called COMt, which turns COM files into *executable* forms, using only printable characters. (Padgett Peterson was so taken with the idea that he wrote his Christmas card program using only printable characters.) The "text" programs, however, don't exactly look like a letter from Mom--they look like strings of garbage. Paradoxically, graphics images (realistic graphics, that is) give you even *less* leeway, since the human eye is *very* good at picking up anomalies. The Tekwar virus is recovered from an imperfectly erased copy of the graphic. Under extrapolative recreation, the virus is virulent enough that just looking at it will fry your computer. (Try *that* with your average copy of Stoned. "Lossy" compression wins again!) (By the way, in *that* picture, the young lady has her shirt *on*.) If you look at the virus, it renders you unconscious. Fair enough: flashing lights can stimulate epileptic seizures. However, thereafter the virus slowly causes *physical* degradation of your nervous system. Oh, please. What's the nerve equivalent of JMP? Stay tuned *next* week, when Bill Shatner uses the I-word. (Pay close attention when he announces the virus is loose.) copyright Robert M. Slade, 1994 TVTEKWAR.RVW 941201 ====================== DECUS Canada Communications, Desktop, Education and Security group newsletters Editor and/or reviewer ROBERTS@decus.ca, RSlade@sfu.ca, Rob Slade at 1:153/733 Author "Robert Slade's Guide to Computer Viruses" (contact: 1-800-SPRINGER) ------------------------------ Date: Sun, 04 Dec 94 14:05:18 -0500 From: S1104145@cedarville.edu (Daniel Hatfield ) Subject: Tech Report on Virus fighting through Biological Processes I am looking for a Technical Report produced by someone in IBM on the possibility of fighting viruses like the body fight viruses. The general idea of the paper was the one should create a program that takes apart viruses and presents it to another program to be deciphered and tagged and then you could follow the virus through this tag much like a signature recognition.. Anyone know where I could get it? Dan Hatfield ------------------------------ Date: Mon, 05 Dec 94 10:53:50 -0500 From: dtulloh@kazak.NMSU.Edu (dtulloh) Subject: Re: Viruses in newsgroups - how can that be? Wu Kwok Wai (kwwu@hkusub.hku.hk) wrote: : [Moderator's note: Simple - uuencoded files being posted as messages : to the group. Same method used to post digitized pictures to other : groups. There's no harm to the casual reader - unless s/he uudecodes : the viruses (or pictures! :-) and runs them.] If I were to uudecode such a digitized picture and used it in a viewer prior t virus-scanning it, could the virus infect my system? I wouldnt think so since the viewer would be treating the whole file as a data file. Dan dtulloh@acca.nmsu.edu ------------------------------ Date: Mon, 05 Dec 94 11:04:27 -0500 From: dtulloh@kazak.NMSU.Edu (dtulloh) Subject: Re: What's a Logic Bomb ? Tor Houghton (torh@central.sussex.ac.uk) wrote: : Billy Nadeau (billy@step.polymtl.ca) wrote: : > But I don't know what's a Logic Bomb. Can anybody tell me what it is : > and how it strikes ? : Generally, a logic bomb can be described as a piece of code which is : hidden somewhere (boot block, or executable), which, at a preset time, : does something malicious (wiping disks, corrupting files, etc.). Logic : bombs usually differ from viruses in that they don't reproduce. They : are also, unlike viruses, placed into a system for a purpose (a virus : writer usually releases his virus 'unto the masses' to see how far it : gets, a logic bomb writer releases his bomb into a specific system for : some specified purpose). As I understand it, Logic Bombs are imbedded within the program and are only executed if certain logical pathways are taken. (for example, person X is removed from the payroll). If person X is never removed, the bomb never gets executed. These kinds of things are usually the brainchildren of disgruntled users. One person I know of claimed to have done such a thing and then destroyed the source code so the bomb could never be removed. Yet another thing to be on the lookout for, I guess. :) Dan dtulloh@acca.nmsu.edu ------------------------------ Date: Mon, 05 Dec 94 15:51:20 -0500 From: "Rob Slade, Social Convener to the Net" Subject: Promising signs in disk duplication Those who have been following the virus scene are well aware of the problem of mass duplication of infected diskettes, and of the concomitant trouble in getting publishers to admit there *is* such a problem. This weekend I received a request for help from an author who had been alerted to an infection on his own machine by a message from the disk duplicator telling him that the master disk he had sent in for his new book was infected. (With Monkey, from initial indications.) There is, then, at least one duplication house that is putting some effort into safety of the product. My own book is accompanied by a disk with antiviral software for MS-DOS and Macintosh systems. (Thank you Wolfgang, Ross, Padgett, John and Fridrik.) I was, of course, absolutely paranoid that it would get infected at some point, and that I would be the first antiviral researcher to dsitribute code on disk to the masses. When I got the master disk back from the publisher, I didn't find any infections. I *did* however, find quite a few oddities. Somewhere downstream, someone had tested all of the archive files to ensure that they did, in fact, extract OK. The disk is an MS-DOS format 1.44 floppy, with one Macintosh program on it. The Mac copy program that was used to get the Disinfectant program off onto a test Mac wrote several files, and one directory, onto the original disk. I'm sure the professionally paranoid would have had a field day with the hidden directory and the "hidden, system" files that came with the disk. (For the record, there is still one oddity on the disk: as a result of all of that, the FP-211.ZIP file is non-contiguous.) ====================== DECUS Canada Communications, Desktop, Education and Security group newsletters Editor and/or reviewer ROBERTS@decus.ca, RSlade@sfu.ca, Rob Slade at 1:153/733 Author "Robert Slade's Guide to Computer Viruses" 0-387-94311-0/3-540-94311-0 ------------------------------ Date: Tue, 06 Dec 94 16:02:08 -0500 From: "Rob Slade, Social Convener to the Net" Subject: CVIA and the antiviral "industry" at large Unfortunately, you are going to have to make much more than one phone call. The Computer Virus Industry Association, despite the name, never did represent much more than McAfee, McAfee agents, and certain groups closely associated with McAfee. You could talk to Ross Greenberg about the CVIA when it started up (but be prepared for soem bad words :-) There are literally hundreds of different companies producing different antiviral products (not counting those which produce general security products). Very few of these cooperate in anything like an "industry group". There simply isn't any hard information of the type that you want. Without a lot of research, you will have to rely on "guesstimates" for the size of the computer industry, relative utilization of AV software, average prices (taking site licenses into account) and so forth. As a very wild guess, there are about 200 million personal computers out there. About a quarter are "home" machines and relatively few "home" users "buy" antiviral protection. (Yes, I know all of *you* do, but do all of your friends?) Of the 150 million "business" machines, figures for those "buying" protection range from 25% (three years ago) to 60% (last year). (These figures are self report estimates *only*, and therefore highly suspect, but my own observations tend to bear them out.) The most widely *purchased* (remember, we haven't said anything about use, because that wasn't what you asked for) tend to be F-Prot, NAV, CPAV and McAfee. (Most purchases for Macs are for the respective Symantec and Central Point products. Most widely used is probably Disinfectant, but it's free.) Prices range from $1 per machine (for F-Prot) to $100 per machine (for the higher priced commercial combos) to $250 per machine (for those few using general security packages at the high end. Averaging it all, and taking site licenses into account, it's probably about $5 per machine. Put it all together and you've probably got a $450 million industry. Many will want to dispute these figures, and the various aspects thereof. ====================== DECUS Canada Communications, Desktop, Education and Security group newsletters Editor and/or reviewer ROBERTS@decus.ca, RSlade@sfu.ca, Rob Slade at 1:153/733 Author "Robert Slade's Guide to Computer Viruses" 0-387-94311-0/3-540-94311-0 ------------------------------ Date: Tue, 06 Dec 94 19:00:47 -0500 From: Kenneth Gillgren Subject: Virus reporting procedures and rumor control What have been the most effective reporting procedures in companies or organizations with extensive WAN/LAN systems? [Moderator's note: Excellent question, IMHO - especially in light of the recent hysteria over the "good times" hoax.] ------------------------------ Date: Tue, 06 Dec 94 07:30:37 -0500 From: frisk@complex.is (Fridrik Skulason) Subject: Re: OS/2 Virus Susceptability? (OS/2) maf10@po.CWRU.Edu (Moses A. Fridman) writes: >Does anyone know how DOS viruses such as Monkey would behave under OS/2? Many file viruses will work fine - just as other regular DOS applications... others will not work at all. MBR-infecting viruses will generally load normally but become inactive when OS/2 loads. However, if you have an MBR virus that activates on a specific date like J&M or Michelangelo, it will be able to activate as intended .... it is just not able to spread. >Does anyone know of native OS/2 viruses there are a few....not a significant problem. > or virus scanners? There are a few...the market for them is just too small. - -frisk ------------------------------ Date: Tue, 06 Dec 94 15:25:31 -0500 From: lrgray@ix.netcom.com (Lee Gray) Subject: OS/2 Virus? (OS/2) Just received a flyer from Central Point / Norton concerning the Central Point Anti-Virus Software for OS/2. I was wondering if there are any virus that have been written specifically for the OS/2 operating system? There is an ongoing debate between myself and my manager concerning virus's and OS/2. He says that it is impossible to write an OS/2 virus because of the way OS/2 works with memory. I say that virus's will begin to appear when the interest to write them strikes. Opinions asked for and, if you know of virus's please include their given name. I have scanned through the VSUM hyper-text file and could not spot any OS/2 virus'. Thanks, Lee ------------------------------ Date: Tue, 06 Dec 94 16:15:15 -0500 From: valdis@black-ice.cc.vt.edu (Valdis Kletnieks) Subject: Re: Mainframe Viruses? (IBM VM/CMS/etc) gjw wrote: >Is this because DOS has an inherant weekness or just that there are >more DOS systems to infect. Actually, it's an AND. There's absolutely no protections on a DOS machine. You wanna scribble anywhere in memory or disk, go right ahead. On the other hand, for instance, an IBM mainframe running MVS/ESA with RACF or Top Secret installed is *quite* the challenge to write viruses for - each userid only authorized to write specific datasets, messages to the systems console and your job gets killed if you go elsewhere, and so on. I believe that when you have RACF or Top Secret installed, it qualifies for a B2 security rating (i.e. quite difficult to break). Also, there aren't many mainframes - I have heard that there are 25,000 licenses for IBM's VM/CMS system worldwide, and even smaller numbers for DOS/VSE and MVS - and most of those are safely locked up in dinosaur pens. Valdis Kletnieks Computer Systems Engineer Virginia Tech ------------------------------ Date: Thu, 24 Nov 94 15:50:01 -0500 From: e92_ogu@elixir.e.kth.se (Olof Gunnarsson) Subject: Help me: virus, whisper. (PC) A friend of mine has got a virus of some kind on his computer. He scanned his computer with MacAFee or what it is called. He got a message like 'Virus recognized as Whisper, but cannot erase it'. AND, if he's got a virus, I might have it too. (We exchange programs) I wonder if someone knows what to do about it. I would be grateful if you could e-mail me then, since I don't read this newsgroup very often. My e-mail adress: e92_ogu@elixir.e.kth.se /Olof ------------------------------ Date: Fri, 02 Dec 94 21:49:14 -0500 From: RICK HARRIS Subject: Questions about viruses: (PC) I have recently discovered that my PC has 2 viruses; Stoned and Vengence.B I ran the Norton Anti-Virus software on my PC and it said that Stoned was common, but Vengence.B was rare. What do these viruses do? Please E-Mail w with any info. Thanx, Toxey and Janet, Friends of Rick ------------------------------ Date: Mon, 05 Dec 94 04:15:39 -0500 From: ANTHONY APPLEYARD Subject: New virus reported in China: `Li Peng' (PC) In 5 Dec 1994 issue of the Daily Telegraph (UK newspaper), p23:- A new virus doing the rounds in China is perplexing the party faithful. When it strikes, a question appears on the screen: "Do you think Li Peng is a good prime minister?". If the operator answers "no", then the message disappears and the system is left untouched. On the answer "yes", however, the virus wipes the entire hard disk. --------------------------------- PS. Sorry to use bandwidth on a non-viral matter, but: I can't find info re this in any of the proper places: how to get Word Perfect 5.1 for DOS, when displaying text, to use my PC's 132*43 character text screen mode instead of the usual 80*25 character text screen mode? ------------------------------ Date: Mon, 05 Dec 94 09:37:58 -0500 From: brenda@oasys.dt.navy.mil (Brenda Beglin) Subject: Virus Alert For INACOM Notebook Computers (PC) >From dproulx@sprocket.nosc.mil Thu Dec 1 17:42:12 1994 Date: Thu, 1 Dec 94 16:09:46 EST From: dproulx@sprocket.nosc.mil (Dave Proulx) Subject: CSA 94-45a NAVCIRT Computer Security Advisory 94-45a Subject: CSA 94-45 addendum Navy Message DTG: 010142Z DEC 94 1. Problem: This addendum to CSA 94-45 provides additional information on the IDP laptops infected with the Monkey virus. 2. The Monkey B virus has been detected on notebook systems provided by Inacom through the Lapheld II contract N66032-92-D-0002. The scope of the problem has narrowed to units shipped from the subcontractor facility , IDP INC through at least 9/24/94. Potentially, 1,483 units or more shipped to Inacom could be infected. The scope involves both CLINS 0001AC, SLC/33 (1,054 units) and CLIN 0001ae, DX/33 (429 units). The SLC/33 can be identified by manufactures part number DGI-D4l331204 with the DX/33 being DGI-86NB3-D-4D3-PLUS. Both units have the DGi name on the top. 3. Inacom and IDP identified the range of serial numbers possibly infected as follows: DGI 486DX/33 serial numbers ND310007 through ND310641 DGI486SLC/33 serial numbers NX31180 through NX57091. Units outside this range of serial numbers that have been reported to NCTAMSLANT as being infected are ND310951 and ND310704. It is recommended that all DGI units be checked for the subject virus. 4. The following software programs have been identified as capable to detect and clean this virus: Norton Utilities Anti-Virus Mcafee Anti-Virus v2.1.1 an above IBM Anti-Virus 1.07G 5. The following actions will be taken by Inacom: A. A message alert will be placed on the Lapheld II Bulletin Board (LAPIIBB) including a description of the problem and instructions to affected customers. B. The Mcafee Anti-Virus will be loaded to the LAPIIBB so that customers may download this software for use. The LAPIIBB number is 1-800-647-4772. Inacom will assist customers with the use of this software if the customer contacts Inacom at their technical support number 1-800-932-8235. If the customer prefers, Inacom will send them the necessary software if the customer cannot download. C. A written notice will be sent to all potentially infected ship to points. D. If none of the above solutions are practical, the customer may return their unit for warranty/maintenance service. 6. Please check the NCTAMSLANT OASYS Bulletin Board for additional information. Recent versions of Mcafee Anti-Virus software may be downloaded from NCTAMSLANT'S OASYS BBS. The phone number for OASYS is 804-445-1121 (DSN 565-1121). The required parameters are 8 data bits, 1 stop bit, no parity, and full duplex. Ansi terminal emulation is recommended but not required. OASYS handles connect speeds between 1200 and 14,400 bps. To download Mcafee's virus scan program, log into OASYS and from the main menu select the "how to use OASYS" menu. Then choose "download help files" and you will see the program listed. 7. NAVCIRT would like to acknowledge the efforts of the individuals at NCTAMSLANT for providing the information contained in this advisory. 8. Please distribute this information to individuals who implement security policy and procedures within your activity. 9. If you have an electronic mail address accessible from the Internet and would like to receive the NAVCIRT Computer Security Advisories electronically, please do the following. Send email to NAVCIRT@NOSC.MIL with the message 'Subscribe' and you will be added to our mailing list. 10. NAVCIRT has established the NAVCIRT Electronic Bulletin Board (NEBBS) and an anonymous ftp server for the distribution of computer security software and information to the Navy free of charge. To connect to the NEBBS the phone numbers are, commercial (202) 764-2474 and DSN 764-2474. The modem will accept speeds of 9600 baud or below with a parity setting of 8/N/1. To connect to the anonymous ftp server enter 'ftp INFOSEC.NOSC.MIL' (IP address: 198.17.82.239), Enter 'anonymous' at the name prompt and your full local e-mail address at the password prompt. Connections will only be allowed to host IP addresses which can be resolved to a host name ending with .MIL. 11. The point of contact at the Naval Computer Incident Response Team (NAVCIRT) at NISE East Det Washington is either D. Proulx or V. Feaster, (COML) (202) 764-2601, (DSN) 764-2601. NAVCIRT assistance can also be obtained by email to NAVCIRT@NOSC.MIL or via 24 hour voice mail pager at 1-800-759-7243, pin number 2023834. ******************************************************************************* *Brenda Beglin | I'd rather be flying! * *David Taylor Model Basin, Carderock Division | * *Naval Surface Warfare Center | /------!------\ * *Code 3581, 301-227-4901 A/V 94-287-4901 | \(|)/ * *Bethesda, Maryland 20084-5000 | o/ \o * ******************************************************************************* ------------------------------ Date: Mon, 05 Dec 94 10:04:34 -0500 From: sad@utkux.utcc.utk.edu (Deutscher) Subject: Re: invb601a.zip - The InVircible Anti-Virus Expert System v6.01A (PC) Any OS/2 versions of the amazing thing around that one could try and compare to other ones? Cheers, Stefan Zvi Netiv (ila2007@zeus.datasrv.co.il) wrote: : On Wed, 16 Nov 1994, Douglas W. Jones wrote: : > I am currently using IV in unregistered mode. I think it is an : > amazing piece of software and a fantastic concept - like a : > computer "immune system". Well done, Zvi! : Thanks Doug. : > 1) What changed between 6.01 and 6.01a? Jeff - would have been : > nice if you'd included this info in your post; Zvi it would be : > helpful to have a "changes.txt" in the zip perhaps. : Well, you are right! I'll add a WHATSNEW file with the next revisions. : Unlike traditional AV software, InVircible does not have "updates", as : scanning is not its purpose, but revisions or enhancements, if you like. : The major one in 6.01A is the addition of new features to take care of the : new large capacity IDE drives. Western Digital just threw to the market : the 1 gbyte drive with the dynamic boot XBIOS driver from Ontrack. To my : total surprise, the driver uses a technology that I saw before only with : stealth boot viruses. This does not mean that the driver is a virus, not : at all, but it needed to look carefully at all the low level routines, : incorporated in an AV product. Quite many may be surprised when viruses : like Monkey hit such disk. Western Digital and Ontrack made allowance : only to Michelangelo, Stoned and No-INT by leaving sector 0,0,7 vacant. : All the rest are occupied by the booting driver code (from 2 to 6, Monkey : overwrites 3!). :-) : Rev 6.01A covers it all, and I may say that IV is probably now the only : product that is aware of this mew technology. : The implications are important to all "disk rescue" utilities, not only : to AV! : I wrote a note on the subject and posted it to Virus-L, a week ago, but I : didn't see it yet in the digests. Maybe in the next. : > Thanks, and keep up the great work! : I'll try. :-) : Regards, : Zvi Netiv, InVircible ------------------------------ Date: Mon, 05 Dec 94 11:21:59 -0500 From: Greg Davis Subject: Re: FORM virus on Doublespaced Drives (PC) Steve W. Taylor writes: >Has anyone had any experience of getting rid of the FORM virus on MSDOS 6.2 >Doublespaced drives? Clean on NAV, DrSolomon etc. fails. Our only solution >is to reformat. > >Help would be appreciated. Have you tried KillMonk ?? it was written specifically for Monkey. I don't know how it would react on a double spaced drive. If I recall the biggest problem is recovering the Master Boot Record. I can't find my copy right now, but if I recall correctly it was on mcafee.com the last time I was there. Greg Davis greg.davis@DaytonOH.NCR.COM The comments and opinions expressed are those of the author and do not reflect those of AT&T or AT&T GIS. DONT TREAD ON ME ------------------------------ Date: Mon, 05 Dec 94 11:32:23 -0500 From: aboer@umich.edu (Andrew Boer) Subject: Ack! My Keyboard gets remapped. Help! (PC) I picked up this virus somewhere (I assume) that keeps remapping my keyboard everytime time I reboot. Only occasionally does my keyboard work (like one out of five times). Help! What might be causing this. What can I do? Please mail me all help or relevant info. thanks petrified, Andrew ------------------------------ Date: Mon, 05 Dec 94 11:34:25 -0500 From: hiwire@technet.sg (Lim Beng Cheng) Subject: Re: Virus Alert -- NATAS. (PC) Just to add a little. Natas besides being polymorphic is also a multi-partite virus and will infect MBR of hard disk. So even if you don't boot from floppy drives or your PC is diskless (no floppy drive), the harddisk partition can also get infected. Without a floppy drive, it will be extremely difficult to remove Natas from the partiton since fdisk /MBR will not be effective with the virus in memory. - -- Lim Beng Cheng Know the computer Hiwire Computer & Security Pte Ltd Know the anti-virus hiwire@technet.sg Know none of them and Your system will soon perish ------------------------------ Date: Mon, 05 Dec 94 11:50:57 -0500 From: hiwire@technet.sg (Lim Beng Cheng) Subject: Re: Anti-CMOS Virus Infection - HELP! (PC) Ed Faulk (efaulk@shelties.dp.beckman.com) wrote: : writes: : . snip ... : > A simpler way is to install FRONTLINE. This is a very new product and : > much thought and effort was put in to make it work for all forms of : > boot/partition viruses. Just install into your hard disk and on boot up, : > if a boot virus exists, it will prompt you to remove it. All you need is : > just to type Y. No special training is required for your users. It is : > fortunate that the virus you encounter is a simple one. There are many : > cases when FDISK /MBR does not work. FRONTLINE will work and it work by : > booting up from the very hard disk that is infected. FRONTLINE can : > remove the virus even from an infected hard and stealth ones too. : Since you are really pushing this product, perhaps you'll be kind : enough to answer a few questions. Most products that "protect" the : boot sector do so by copying the sector and then comparing them. There : are times when the boot sector is SUPPOSED to change (new version of : operating system, repartion the drive, etc.). Does you product detect : that as a virus, or do you know that the format change was valid? FRONTLINE is a generic boot virus disinfector though it is not TSR. Since there is no way of telling the contents of the boot sector in next release of DOS, FRONTLINE will warn user of the suspected virus. The user can type N for No and the boot sector will not be overwritten. In an organisation, it is normally the administrator who will upgrade the OS (unless there are some wise guys around). He can uninstall FRONTLINE, upgrade the OS (using SYS C:) then reinstall FRONTLINE. - -- Lim Beng Cheng Know the computer Hiwire Computer & Security Pte Ltd Know the anti-virus hiwire@technet.sg Know none of them and Your system will soon perish ------------------------------ Date: Mon, 05 Dec 94 12:30:42 -0500 From: ANTHONY APPLEYARD Subject: DOOM game messages (PC) Not directly a virus [1] but something that can choke the net up as bad as viruses or worms can: Is there a program / routine / option / etc that can be clipped onto or patched into Novell Net software, which can detect and stop the DOOM game's inter-player messages? The DOOM game must have some way to tell its messages from other messages, when the player is interacting with other players over the net: and, if so, then the Novell server if correctly programmed should be able to distinguish DOOM game messages also. What other games etc are there that choke the net up that bad? Sorry to show my ignorance, but I am not a computer games fancier. [1] Indeed directly viruses!, if the game habit encourages people to copy infected games about, as has been reported for DOOM. ------------------------------ Date: Mon, 05 Dec 94 15:45:35 -0500 From: brewer@us.net (Scott Carpenter) Subject: Mr. Ed Virus (PC) I'm looking for information about a virus that places Mr. Ed in some files and destroys diresctory structure. Any suggestions? Newsgroups? =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Scott Carpenter brewer@us.net "moderation is for monks" L.L. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= ------------------------------ Date: Mon, 05 Dec 94 16:03:36 -0500 From: rldel@delphi.com Subject: Re: FORM virus on Doublespaced Drives (PC) Dear Steve, I was successful in repairing a doublespaced HD with the forms virus by using a boot floppy with Norton's DiskDoctor utility. Rick ------------------------------ Date: Mon, 05 Dec 94 18:03:56 -0500 From: Bonnie Morrison Subject: Need info on Cansu virus (PC) Has anyone had experience with the Cansu Virus? I used F-Prot to disinfect the hard drive after booting from a clean floppy. What, if anything, should I be concerned about in regards to this virus? Any comments will be appreciated. TIA - -- Bonnie Morrison Missouri Western State College Management Intern Bus. & Econ. Computer Lab email morrisbf@griffon.mwsc.edu St. Joseph, MO ------------------------------ Date: Mon, 05 Dec 94 18:45:36 -0500 From: czimmerm@NMSU.Edu (Chad D. Zimmerman) Subject: Stelth_C 2? (PC) Is there a new strain of Stealth on the loose? McaFee will find it, bu not clean it. F-Prot say's that there is a possible infection, and will not clean it. Any replies would be helpfull. Chad Zimmerman New Mexico State University czimmerm@nmsu.edu ------------------------------ Date: Mon, 05 Dec 94 19:42:45 -0500 From: usmf@emoryu1.cc.emory.edu (Mahbuba Ferdousi) Subject: RM virus (PC) Hi, Have anyone heard about the RM virus? It seems to effect the Master Boot Sector and Fdisk /MBR does not seem to get rid of it. If anyone knows anything about it please respond to my direct address usmf@emory.edu. Thanks in advance, Mahbuba ------------------------------ Date: Mon, 05 Dec 94 19:54:43 -0500 From: Tripp@richmond.infi.net (Tripp Lewis) Subject: Re: VCL?? (PC) Nick FitzGerald says: >Tripp@richmond.infi.net (Tripp Lewis) wrote: > >I'm sure AV s/w companies do benefit directly or indirectly from the >activities of VX BBS'es, but "we" (the computer-using public) would >benefit even more -if- they were closed down. Today the VX BBS'es are a >source of incentive to the creation of several new viruses, mostly >mindless minor variations on existing variants of the early, proven >designs. Keeping up with this tide wastes much AV time that would (or >at least could) probably be better spent on the real threat of keeping >ahead of the occasional truly worrying "completely new" virus. Unforchantly closing down virus exchange bulletin boards will not happen (in the U.S.). This is because we have something called rights. Simpy put, our goverment cannot tell us what we can and cannot do on our computers, which means I can write viruses on my machine, let others who I feel are qualified enough to handle computer viruses download them from my machine, and if I want I can infect...my machine. I do agree that there are alot of mindless minor variations being exchanged, but at the same time there are people who like to collect them. The main reason why we run vx bbs's is for communication and education not because we want to infect the computers of the world. >As this is more often than not a euphemism for "pimply, testosterone- >charged teenager with dubious ethical standards", it is no wonder that >VX BBS'es are the main places that they obtain material for their >"research". . . And where does the AV go to obtain their material? Oh please tell us. >> ... The law cannot do crap about >> people who write and exchange viruses. > >Bzzztt--wrong. Wrong Mcfly! I was referring to the U.S. >> FireCracker, NuKE > >I've asked Ken whether postings from people like this really should be >accepted. .and what did he say? So what? I can't sign my alias.. . Get real man! Please go into greater detail about your refrences to me as "people like this..." FireCracker, NuKE ------------------------------ Date: Mon, 05 Dec 94 21:37:32 -0500 From: bwhirl@aol.com (BWhirl) Subject: Re: monkey virus (PC) sfrazza@netaxs.com (Sally Frazza) writes: >Need AV program for Virus. While this may be late..... one of my clients just recently became infected with the monkey virus. We used the latest version of F_PROT to wipe the virus out. It did so quite nicely and we only lost one hard disk out of 5. Good luck. BWHIRL@AOL.COM ------------------------------ Date: Mon, 05 Dec 94 21:53:57 -0500 From: bwhirl@aol.com (BWhirl) Subject: Re: master boot record viruses (PC) susanbs@satelnet.org (Susan Sassoon) writes: > Getting a virus out of Master Boot Record Simply use the command fdisk /mbr to clean the master boot record. BWHIRL@AOL.COM ------------------------------ Date: Tue, 06 Dec 94 01:49:52 -0500 From: deepak@india.hp.com (Deepak Shenoy) Subject: Cure of Die Hard ? (PC) Hi All, Anybody knows if vaccine is availabel for DieHard virus out there. If so please inform me through email or otherwise at the earliest. Thanks in advance, Regards P Deepak Shenoy [ My friends machine is infected with DieHard virus ] ------------------------------ Date: Tue, 06 Dec 94 02:44:14 -0500 From: cceksw@leonis.nus.sg (Gerald Khoo) Subject: Any Sophos Internet sites around??? (PC) Hi... I've got the Sophos package and am running the SWEEP.NLM on NW4.02. According to instructions, if we discover any new viruses, we have to upload a copy of the infected file to their BBS (in UK) and they will fax us, after decoding, a ascii text to be implemented with the SWEEP.NLM. Are there any Sophos FTP sites so that I do not have to dial up to UK??? Or does anyone know how to analyse and decribe the identity in Virus Description Language so as to incorporate in SWEEP.IDE??? Thanks. - -- =============================================================================== Khoo Seng Wee, Gerald National University of Singapore Computer Centre Tel: (65) 772-6426 10, Kent Ridge Crescent Fax: (65) 778-0198 Singapore 0511 Internet: cceksw@leonis.nus.sg =============================================================================== In Christ alone, I place my trust, And find my glory in the power of the cross; In every victory, let it be said of me; My source of strength, my source of hope, Is Christ alone. Michael English =============================================================================== ------------------------------ Date: Tue, 06 Dec 94 07:16:55 -0500 From: frisk@complex.is (Fridrik Skulason) Subject: Re: help! virus on Nov.15th ??? (PC) bambi@informatik.uni-wuerzburg.de (Stefan K. Bamberger) writes: >at tuesday 15th november with the message like " can't find drive C: " >this seems to look like a virus.... >Does anybody know, if there exists a virus which gets active at 15th >november and has that kind of appearance? Indeed. This is the J&M virus I guess. Pretty common in Hungary and Iceland, with isolated incidents reported in various East-European countries. This is a boot sector virus that activates on November 15th, and overwrites the MBR >One of the PCs could be reanimated with norton disk doctor - the partition >table was refreshed. >After reanimation the SCAN V9.2 didn't find any virus ..... Not surprising, as the virus hides in the partition sector, and when it activates it overwrites itself. I think SCAN calls this virus Hasita, but other anti-virus programs (those that detect it at all, that is) call it either J&M or Jimi. >Does anybody know how to get rid of it? F-PROT will remove it (before it activates), as will FDISK /MBR. >If not, is there another way to get access to the drive again, without >reformatting it? Fiddling around with NU and NDD will do it (but you might have problems on machines running OS/2 with HPFS, or Netware servers)....but it is not easy. If simply running NDD and telling it to recover the partition does not work, a professional data recovery service might be the best bet. >Which options will be best with format to be sure to >delete a possible master boot sector virus etc.?? I don't understand what you mean. - -frisk Fridrik Skulason Frisk Software International phone: +354-1-617273 Author of F-PROT E-mail: frisk@complex.is fax: +354-1-617274 ------------------------------ Date: Tue, 06 Dec 94 07:25:08 -0500 From: frisk@complex.is (Fridrik Skulason) Subject: Re: MSAV / F-Prot comparison (PC) barclae@gov.on.ca (Elizabeth Barclay) writes: >Does anyone have any information comparing the >performance of MSAV vs. F-Prot? Ask Microsoft.....there must be some reason why they bought an in-house license for F-PROT instead of using their own product. - -frisk Fridrik Skulason Frisk Software International phone: +354-1-617273 Author of F-PROT E-mail: frisk@complex.is fax: +354-1-617274 ------------------------------ Date: Tue, 06 Dec 94 07:35:21 -0500 From: frisk@complex.is (Fridrik Skulason) Subject: Re: Telecom virus (PC) The Packetman (dnorman@av8r.dwc.edu) wrote: > My friend is currently wrestling with the Telecom virus(maybe). While > formatting his hard drive, the computer tells him that there is a > possible virus. You have "virus detection" (actually just boot sector write protection) enabled in the BIOS. > After continuing with the format, we ran f-prot and > it returned saying that the telecom virus was present in memory. Are you sure you did not run MSAV or CPAV in the machine....they used to cause this false positive. > then performed a clean boot and ran f-prot again. This time f-prot > said the computer was clean. Which it probably was. Disable "virus protection" in your BIOS, format the disk, and then enable it again. Stop worrying...you have no virus. - -frisk Fridrik Skulason Frisk Software International phone: +354-1-617273 Author of F-PROT E-mail: frisk@complex.is fax: +354-1-617274 ------------------------------ Date: Tue, 06 Dec 94 07:38:11 -0500 From: frisk@complex.is (Fridrik Skulason) Subject: Re: Trident virus info? (PC) aswNS@hamp.hampshire.edu (Albert S Woodhull) writes: >In a recent visit to a university in Nicaragua I found that they were >having persistent infections of a virus that McAffee SCAN v. 117 >detects and identifies as Trident. Detects, but does not identify.....Scan calls a large number of different viruses Trident. >Other anti-virus tools on hand may >have been out of date, in any case they (CPAV and MS-DOS AV) did not >detect it. Not surprising. >Can someone mail me some information about this virus? The "Trident" name is too inaccurate to specify which virus this is, sorry... - -frisk Fridrik Skulason Frisk Software International phone: +354-1-617273 Author of F-PROT E-mail: frisk@complex.is fax: +354-1-617274 ------------------------------ Date: Tue, 06 Dec 94 09:03:25 -0500 From: beaurega@ireq.hydro.qc.ca (Denis Beauregard) Subject: Virus modifying CHKLIST.CPS/.MS? (PC) I saw some strange things on my PC, but the anti-virus I tried found nothing. They are: SCAN 117, an old NAV, CPAV and MSAV. MSAV and CPAV put check sums in a file (chklist.ms and .cps) and advise when there is a change. I found many files changed (after I modified and recompiled them) but the checksum did not change. It seems systematically, if the previous version stored in the chklist file and the current version are in the same month, the checksum is different, but when the month is different, then the checksum was always the same! Can someone identify a virus with that or is this now common that a virus change the chklist files? Or is this an annoying but normal behaviour of MSAV/CPAV? - -- Ce message represente uniquement l'opinion de son auteur et n'engage en aucune facon son employeur. Denis Beauregard Internet: beaurega@ireq.hydro.qc.ca Programmez avec de la classe: essayez le C++ ------------------------------ Date: Tue, 06 Dec 94 12:18:02 -0500 From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) Subject: Memory Scanning (v-l 7.096) (PC) >From: Iolo Davidson >Subject: memory scanning (PC) Let me preface this by saying that I have not seen the article in question, not have I looked closely at Thunderbyte recently. I can recognize emotionally loaded comments when I see them though. >The SECURE Computing article had full regard for the *issues* in >all their aspects. What it did not do was accept Thunderbytes >excuses for the fact that it did not cope with memory resident >viruses, neither by finding them in memory (as the other products >did, with greater or lesser effectiveness) nor by employing its >own, new wave, different, don't-tell-ME-how-to-find-viruses way >of working. Well as one of the first to recommend memory scanning back before it was popular (see my "6 Bytes" article in the CERT archives). I do know something about how it all got started: the 4096/Frodo/Hundred Years (different names for the same thing) was the first widespread "stealth" fast infector & appeared in 1990. Since it lied to DOS and captured every attempt to read a file, file scanners (which were the only kind at the time) not only did not find the virus, but the act of scanning every executable, spread the virus to every executable. As a result, scanners had a choice to make - either determine if a virus is in memory and require a clean boot before using DOS services to scan a disk or don't use DOS to scan the disk. Either would be perfectly acceptable. There were advantages to detecting the visus in memory, primarily since it is not trivial to recreate all of the DOS functions in a program - I recall only two programs that even attempted it - T'byte and Dr. Panda, and the "thundering herd" instead added memory scanning. As it turned out there were certain advantages to memory scanning first and then using DOS since emerging systems were easily available from above DOS and very difficult to recreate from underneath. Compressed disks, removable media that use their own device drivers (Bernoulli, Syquest), 32 bit addressing schemes, CD-ROMs, and PCMCIA drives to name just a few. On the other havd, there are definate advantages to not using DOS in that you have direct access to the raw data in the FAT and the directories that *must* be correct (why CHKDSK always had problems when a "stealth" virus was present). The important thing is that this is not better or worse (though considerably harder to do well) just different, and does address some very real problems such as what do you do if you need a special driver to access the disk AND it is not on a floppy AND the scanner refuses to do *anything* without a clean boot ? Therefore, IMHO, whether an anti-virus device does or does not use a memory scanner is irrelevant to the real problem, does the a-v program do what is needed e.g. detect and remove viruses reliably ? For years, my own small (300 byte TSR) attempt, DiskSecure has suffered from a similar problem. It has no scanner, it does not identify viruses at all (it just recognizes and blocks low level viral activity) and, should the worst occur, simply removes the nasty (after asking permission). Professionals seem to like it but magazines has a big problem since it has no GUI, addresses only a specific area of the problem (but one that accounts for over half of all infections), does not bother to identify viruses, and is compatable with just about everything - even defrag programs. The fact that DS has over the years proven resistant to new and emerging viruses and even directed attacks without periodic updates is of course difficult to quantify without a deep understanding of the boot process. In some ways Thunderbyte suffers from the same problems: because it is different, it is difficult to evaluate using any standard means even though it is very efficient at what it does. Any number of very good programs suffered equally from the popularity of scanners. Ross Greenberg's Flushot, Enigma-Logic's PC-SWVSafe, the previously mentioned Dr. Panda to name a few. It is my opinion however (and has been since 1989 - check the archives) that ultimately scanners are doomed by the sheer proliferation of viruses that do not have stable signatures. Even now many are turning to heuristics and rules-based testing to compensate for the basic limitations of scanning. Again IMHO, anything limited to "known" viruses is already in trouble, yet how else is a magazine going to test them ? I can only speak for myself, but I have never considered my DS to be a one-stop solution, I believe in layers and this is just one component. One of the reasons I made the TSR tiny is so that several could be loaded without creating a problem (it works well with VSHIELD though I prefer my NOFBOOT or SUMFBOOT to VS's floppy boot block - CMOS setting is even better, what DS2's transfer to floppy boot after protection load is designed to work with 8*). The bottom line is that a-v work is really an obscure and demanding specialty requiring information that is not generally available. It is hard for a journalist to be an a-v expert as well, yet where does a journalist go to find an unbiased expert ? Fact is that there aren't any. Will say that I have never either written a virus nor felt a need to - the replication part is trivial anyway. I have written test cases to explore possibilities that were not-replicating and I have written polymorphic programs (one of my first a-v programs, CANARY, changed itself every time it executed so that a virus would not recognize it and decide not to infect). Besides, I have never wanted to do anything that using a virus would not just complicate. Warmly, Padgett ------------------------------ Date: Tue, 06 Dec 94 12:44:14 -0500 From: gcluley@sands.co.uk Subject: Re: solomons causes GPF's & slows program loads (PC) sshortal@iol.ie (Seamus Shortall) writes: >I'm using Solomon's GUARD 4.2 TSR & have the following >problems: You're using a *very* old version of the VirusGuard TSR. The current shipping version is 4.57. Substantial enhancements have been made to the product since the version you are using. The current version detects in excess of 5000 viruses, variants and trojans. >2: My terminal emulator program takes 3 times longer to load. There are ways of optimising VirusGuard's performance. In any case the current version has been sped up by a factor of 2. >Does anyone know if this is specific to this version & should I >look for an upgrade or a different product? Sounds like it is a problem specific to this old version of the product. I work for S&S so I would recommend you stayed with it. However, the report on TSRs by the University of Tampere Virus Test Center earlier this year also supports this: Product Infected files Percentage detected Virus Guard (Anti-Virus Toolkit v.6.51) 2915 of 3024 96,4 % TbscanX (Thunderbyte v.6.11) 2600 of 3024 86,0 % Virstop (F-Prot Professional v.2.11a) 2573 of 3024 85,1 % NavTSR (Norton Anti-Virus v.3.0) 2350 of 3024 77,8 % Vshield (McAfee Scan 9.24 v 113) 1741 of 3024 57,6 % Vsafe (Central Point Anti-Virus v.2.0) 1651 of 3024 54,6 % I see you live in Ireland. Here are your contact details for Dr Solomon's technical support: Priority Data Systems Ltd Priority House 63 Patrick St Dun Laoghaire Co Dublin Ireland Tel: +353 (01) 2845600 Fax: +353 (01) 2800311 Regards Graham - --- Graham Cluley [gcluley@sands.co.uk] Product Specialist, S&S International PLC, Alton House, Dr Solomon's Anti-Virus Toolkit Gatehouse Way, Aylesbury, Bucks, UK S&S International PLC +44 (0)1296 318700 ------------------------------ Date: Tue, 06 Dec 94 13:21:43 -0500 From: agentry@uga.cc.uga.edu (Anna Gentry) Subject: Re: Network Antivirus NLM's / need advise (PC) kloeppej@ccmail.orst.edu (John Kloepper) wrote: > > We are currently looking into antivirus NLM's to run on our Novell servers. > To date all i've been able to find is netshld from McAfee. Can any one > provide information on other options or an opinion on netshld? Hey! Me, too! :) Actually, I have just started looking into antivirus NLMs that are best fit for our public access labs. We're running on Novell 3.12 I'm concerned about the amount of memory some of these antivirus TSRs take up. We're kind of running a tight fit in some of these labs. Has anyone worked with Solomon's Anti-Virus Toolkit? Anna ------------------------------ Date: Tue, 06 Dec 94 13:45:47 -0500 From: vcurtis@relay.nswc.navy.mil (vcurtis) Subject: HELP: InVircible CMOS Error ? (PC) Periodically when I boot up my system InVircible gives me a message stating 'CMOS Data has changed'. I have no idea what it thinks is wrong or what, if anything, I should do about it. I don't know why it is changed sometimes and not others. What would cause my CMOS to change or is InVircible fooling me? It happens probably about every 3rd time I boot up. Any ideas? Thanks. VA [Moderator's note: Does your motherboard use a battery for its CMOS memory? Might want to check it...] ------------------------------ Date: Tue, 06 Dec 94 14:18:22 -0500 From: whudace@bgsuvax.bgsu.edu (Bill Hudacek) Subject: InVircible is invasive??? Problem?? <> (PC) To all who have reason to be concerned (and that's anyone who has a copy of InVircible): The "InVircible Soap Opera" continues. At this point, the representative of FuturSoft Corporation has not responded to [my] latest questions. Enclosed please find a digest of relevant message contents. Sorry about the length, but this is too important to gloss over...! History: 1. I noticed mention of InVircible in comp.virus, and went out & found it. 2. I took it home & tried it, & loved it. I called the vendor; I bought the software (no credit cards involved, just my address & "pay when you get it"). 3. Package shows up 3 days later; I had problems installing, made two calls to Support; ended up getting authorization key over the phone --- seems that with SMARTDRV *write-enabled* on a floppy, the install can't work :) They were supposed to send another disk; I haven't seen it. (to be fair, I haven't asked them about it either!) 4 I noticed "Mr. G's" post (enclosed below), which mentioned some rather undesirable behaviors when he ran IVINIT at system startup --- with ThunderByte utilities already running. I sent mail to the vendor, adding my own concerned voice... 5. The vendor's response is included herein. (Essentially, "No way it's our software.") 6. I went out myself, and got the latest copy of ThunderByte (6.26). I saw many of the same symptoms that night, that Mr. G. had reported. Details are below, but here's a synopsis: a) ATTEMPTED: COMMAND.COM renamed to 'g .COM' * no matter how I answered ThunderByte's prompt, the system hung. b) I removed TBFILE from startup files, & (ostensibly) got past the command.com manipulations (this is getting scary, isn't it?). c) ATTEMPTED: creation and invocation of between 3 and 5 .COM files with names like 'GUH7487H.COM'... ThunderByte's TBCHECK, which monitors executed programs (checked against data base of files...) detected every one of these attempts. 7. I sent mail to Mr. G. and Jeff Murphy (of FuturSoft), letting them know that I'd duplicated the a) environment and b) the symptoms observed (by Mr. G.). Message in 7) was the last sent to/from FuturSoft. Perhaps, here, in a public forum, more pressure can be brought to bear. QUESTIONS: 1) Can anyone else verify or obviate the two test situations?? 2) I've tried MacAfee (latest version, whatever that is), and something called 'fixutils' (which was locally recommended), and NEITHER of them let out so much as a peep when IVINIT was 'doing its thing'. Anyone out there that can try other packages (either ThunderByte, or any other)???????? Submitted for your approval: the more of us who verify and repeat these circumstances, the better the odds of getting satisfaction. BTW, I really _do_ hope this can be worked out. This is a 'sexy' package, aside from its *invasion* of your most private parts :^) Please feel free to respond to the group. If anyone hears from FuturSoft, please let the group know! Regards, ======================================================================== >From: Zeppelin@ix.netcom.com (Mr. G) >Newsgroups: comp.virus >Subject: Re: The InVircivle Anti-Virus Expert System v6.01 (PC) >Date: 15 Nov 1994 17:41:42 -0000 >Distribution: world rc.casas@ix.netcom.com (Robert Casas) writes: >frankj@tv.tv.TEK.COM (Frank Jazowick) writes: > >> I just have heard about the 'new' anti-virus program called >>The InVircivle Anti-Virus Expert System v6.01... >> >> It just came out of Israel and is being used by Australia and >>New Zealand. >> >> So as anyone heard of this program and how good it is as >>compared to well-known shareware and commerical anti-virus >>programs????? > >> >F-PROT is a very good scanner. So, too, are TBAV and AVP. However, >InVircible is not really an AV product designed around the concept of >"scanning" to detect viruses so that you can remove them. This is >probably one of the most difficult ideas that people familiar with >traditional AV tools - such as F-PROT, TBAV, and AVP - will have to >deal with to understand and accept InVircible. > >InVircible does have a virus scanner (IVSCAN) but it is designed to >detect common viruses. Also, it does not work with "signatures" or >"heuristics" in the way most "scanners" do. In any case, IVSCAN is not >the most interesting or powerful feature of InVircible. I have been using IV for about a week, and was pleased with its graphical approach as well as its speed. I used the IVINIT, IVB, IVSCAN at boot up, and felt secure. Well, being a little paranoid, I kept my Registered TBAV,TBMEM active as my only TSR. No PROBLEMs, yet. So this week, after having to rebuild a friends HD after a Whisper attach, I decided to add TBcheck and TBfile to my active TSR's. Here is where it got sticky. Upon bootup, after TBMEM/TBCHECK/TBFILE were active , IVINIT sent a flag to TBAV. Several in fact. Then IVB started sending flags (warnings) to TBAV, and TBAV told me that IVB was trying to rename Command.com to @!$&.com (this is no shit), and would I like to stop it. The first time I said no, and IV went on to remane 6 different files from DOS and set them in my root directory. When all the TBAV/IV flags stopped, my system hung telling me that it could not find a command interperter. I booted from my Norton Utilities Rescue Disk (not the one IV made), and did a SYS c: to restore my missing Command.com. I then went to Norton Commander and viewed the Drive. I found that the 6 files were 6 bytes long, and named like that of a "Stoned Marked," file. I deleted them, and restored the renamed files with my 6.22 setup disks. I have removed IV from my autoexec.bat, but not from the HD, YET. I plan on trying the IVSCAN a little later, after I get a response from this post from the author. ======================================================================== >From Zeppelin@ix.netcom.com Tue Nov 22 17:11:32 1994 Date: Tue, 15 Nov 1994 20:17:45 -0800 From: "Mr. G" To: Bill Hudacek Subject: Re: The InVircivle Anti-Virus Expert System v6.01 (PC) You wrote: > >In comp.virus you write: > >< clip... > > >>a little paranoid, I kept my Registered TBAV,TBMEM active as >>my only TSR. No PROBLEMs, yet. So this week, after having to >>rebuild a friends HD after a Whisper attach, I decided to >>add TBcheck and TBfile to my active TSR's. Here is where it > Bill' What I have since found out is this; If you start VI prior to TBAV/F-PROT, ect, it sends no woarnings. B U T !!! If you try to run IV after TBAV's shit is memory, bells and alarms go NUTS!!! Same shit starts, and command.com is gone again, plus you have about 10 6 byte files ?????? ummmmmmmmmmm -Zep- - ---------- Forwarded message ---------- Date: Wed, 16 Nov 1994 12:32:04 From: "Jeffrey K. Murphy" To: whudace@dad.bgsu.edu Subject: Re: *** The InVircivle Anti-... Hi William, >I'd like to add my own request for information to that of the >author of the included news posting. > >I can be reached through this email address; or, if you wish, you may >reply to comp.virus (where this post originally appeared), and I will see >it there. > >Thank you, Your welcome! >rebuild a friends HD after a Whisper attach, I decided to >add TBcheck and TBfile to my active TSR's. Here is where it >got sticky. Upon bootup, after TBMEM/TBCHECK/TBFILE were active >, IVINIT sent a flag to TBAV. Several in fact. Then IVB started >sending flags (warnings) to TBAV, and TBAV told me that IVB was >file. I deleted them, and restored the renamed files with my >6.22 setup disks. I tried the same exercise under identical conditions as described above. At no time did IVB (or any other InVircible component) try and rename any files. InVircible has no internal facilities to automatically rename files during any process. The ONLY TIME InVircible will rename a file is through the IVX module and then ONLY AT THE USERS REQUEST. InVircible has NO TSR's that will manipulate memory or other processes during operation. It was purposly designed this way. I have since tried different memory managers and other methods to duplicate the results and have not had any difficulties, nor have we EVER received and compliants on the effectivness or operation of InVircible. Should you have any other questions or concerns please contact us at 1-800-NOVIRUS (668-4787) and we'll be happy to assist you. Jeff Murphy FuturSoft Corporation InVircible North American Distributions and Support ======================================================================== >From whudace@chip.bgsu.edu Tue Nov 22 17:11:49 1994 Date: Thu, 17 Nov 1994 10:38:31 -0500 (EST) From: William Hudacek To: "Jeffrey K. Murphy" Cc: "Mr. G" Bcc: Jim Hoy , Kent Strickland Subject: Re: InVircible I thought you would both like to know that I obtained a copy of ThunderByte (version 6.26, from risc.ua.edu. I installed the full suite of memory-resident tools, whilst leaving IVINIT in the autoexec file, but set to run after TBFILE. When I rebooted, I received a message (as soon as IVINIT started up), that was trying to rename command.com to .com (three times, this message had a null file name, three other times, it was 'g '.com). No matter my answer (cancel: Y/N), the box hung...but did not necessarily require a hard reset. The key buffer would not fill up; CTRL-BREAK caused a strange, two-tone beep; and, once, after pounding on various keys for some length of time, I *did* have to do a hard reset. This done, I removed TBFILE, and, (though the command.com mods now proceeded[???]), I received messages from TBCHECK that it 'did not find the checksum information for . Cancel execution? Y/N'...! The file names given were, variously, I8YVCYG7.com (twice!!!??) CEQ87EN6.com I believe this proves (beyond any _reasonable_ doubt) that it's not a problem which is isolated to "Zeppelin's" computer. This means it's in the software. I believe the ball is in your court now, Jeff. Waiting is, William G. Hudacek Internet: whudace@dad.bgsu.edu University Computer Services Bowling Green State University ======================================================================== ======================================================================== >Date: Wed, 16 Nov 1994 12:32:04 >From: "Jeffrey K. Murphy" >To: whudace@dad.bgsu.edu >Subject: Re: *** The InVircivle Anti-... > < clipped> > >I tried the same exercise under identical conditions as described >above. At no time did IVB (or any other InVircible component) try >and rename any files. InVircible has no internal facilities to >automatically rename files during any process. The ONLY TIME >InVircible will rename a file is through the IVX module and then >ONLY AT THE USERS REQUEST. > >InVircible has NO TSR's that will manipulate memory or other >processes during operation. It was purposly designed this way. > >I have since tried different memory managers and other methods to >duplicate the results and have not had any difficulties, nor have >we EVER received and compliants on the effectivness or operation >of InVircible. > >Should you have any other questions or concerns please contact us >at 1-800-NOVIRUS (668-4787) and we'll be happy to assist you. > >Jeff Murphy >FuturSoft Corporation >InVircible North American Distributions and Support > Jeff: This is Zeppelin. I am using a registered copy of TBAV and I am using the TBCHECK3.exe, TBMEN3.exe and TBFILE.exe. I can tell you for a fact that this happenes !!! Since my copy of TBAV registered is UPPER level(ie: processor addressable, and there is a difference)) it just goes nuts. I am afraid to run IV execpt at boot up. If you load all TBAV (ALL) prior to IV, you should/will get all the bells you like. You can say what you want, but understand that I like you product, and will continue to use it at boot up instead of the TBAV boot check, but there are real problems. If you e-mail Zeppelin at ALT.COMP.VIRUS I will return you mail with a call ! Otherwise, your just blowing smoke my friend. I know what I know. -Zep- ======================================================================== - -- William G. Hudacek Internet: whudace@dad.bgsu.edu University Computer Services Bowling Green State University ------------------------------ Date: Tue, 06 Dec 94 14:26:55 -0500 From: DJenkins@UH.EDU (David Jenkins) Subject: DA'BOYS Virus (PC) Two computers we work with have been infected with the DA'BOYS virus. Neither McAfee nor CPS was able to detect the virus, which was visible using Norton DE to look at boot record. (Virus has been removed using FDISK/mbr and SYSCON.) Question: Why couldn't these packages detect the virus at all, even though "DA'BOYS" occurs frequently in the files associated with these products? If DA'BOYS appeared to be invisible, are there others that are also invisible? Which ones? Why don't the vendors of these products note such considerations in their documentation? What kind of damage might we have suffered as a result of this infestation? (McAfee is silent on this.) After virus removal, one of the computers shows a memory size of 653,312. Is this an artifact of the virus? (Unfortunately, we don't know what the value was prior to the infestation.) I am submitting this for a colleague who has no access to a news reader. Please respond to him: CMITCHELL@UH.EDU TIA. 73 David F. Jenkins Decision and Information Sciences University of Houston KC5JRR ------------------------------ Date: Tue, 06 Dec 94 15:24:32 -0500 From: dtheo1@umbc.edu (theo dino) Subject: Re: Virus named Jack Ripper (PC) Seamus, Ripper spreads from a floppy onto a HD when an infected floppy is left in drive a: and the PC attmepts to boot from it. The virus is executed which causes it to copy itself onto the MBR of the HD. It also goes TSR and it infects every diskette that you try to access. BTW, we also traced the virus to a visiting consultants laptop. Hmmmm small world. It spread rather quickly, here at my work and onto other consultants laptops and back to the consultants home office. Dino ------------------------------ Date: Tue, 06 Dec 94 15:41:42 -0500 From: mwarchut@twain.ucs.umass.edu (Michael Warchut) Subject: Re: Need Help with Stoned Virus (PC) Scot P. Templeton (templeto@toadflax.cs.ucdavis.edu) wrote: : I had the Michael Angelo (sp?) virus a few years ago (when the big : media scare sent everyone searching for help). I had gone throught : every disk I owned, most of which were "non-bootable" (eg. no DOS). I : found roughtly 70% of my disks were also infected. Let my first hand : knowledge enlighten those who still do not believe. Yep 'tis true. Every diskette that has been formatted has a boot sector with code that gets executed everytime you boot to that diskette. If you did not format with DOS on it, the code simple prints a message such as "non-bootable disk, insert dos disk and reboot". If it has dos on it, it will execute the Dos bootstrap code. A virus can replace this boot sector code and get executed, hence put into memory, every time you try to boot to it whether or not dos was installed on the disk. As a precaution you should ALWAYS hit reset after accidently booting with a floppy in the disk drive instead of just hitting a key to continue or even Ctl-Alt-Del. Can't be too safe... ...Glenn gathib@camlot.monsanto.com ------------------------------ Date: Tue, 06 Dec 94 16:39:43 -0500 From: ANTHONY APPLEYARD Subject: What Genb etc is (PC) Ref repeated puzzlement what Genb & Genp are: I get the impression that as follows. Please correct me if I am wrong. When SCAN reports the xxxx [yyyy] virus, the virus is called xxxx, and CLEAN must use the method called [yyyy] to remove it. [Genb] is a method of removing various specific viruses and also indefinitely bad boot sectors. If the method is specific to one virus, it is named the same as the virus but in square brackets: it is quicker to report and pass onto CLEAN e.g. `Michelangelo [Michelangelo]' than `Michelangelo [Michelangelo_remover]' and so on for every virus with a specific remover. With specific v. general removers and their names, it is like a pest-control man being told this:- SCAN says CLEAN is told SPECIFIC:- found: mouse [mouse] clean [mouse] /* use mousetrap */ found: rat [rat] clean [rat] /* use rat trap */ GENERAL:- found: crows [shotgun] found: rabbits [shotgun] found: burglars [AK47] found: escaped_lion [AK47] ------------------------------ Date: Tue, 06 Dec 94 17:28:48 -0500 From: greenber@ramnet.com (Ross M. Greenberg) Subject: RE:FLU-SHOT (PC) >....it was one of the first programs who deal against viruses.... Historical note: actually, it was the first program to do so. >....owner of the company is (was) Ross Greenberg.... "I'm not dead yet!" "Oh, shut up! You will be soon..." >...The company now has a new name "Datawatch"... Actually, the company is still called Software Concepts Design. The enhanced version of Flu_Shot+ was first sold to a company called HJC, who marketed it right into the ground. Then that company assigned/sold it to Microcom, who marketed it a little further into the ground. That company then assigned/sold it to Datawatch. I think that *they're* watching the program *very* carefully to see if it can market itself. The code was renamed to Virex/PC and it still being busily worked on by a fellow named Glenn Jordan -- a damned fine coder and anti-virus researcher. He was just commenting on another release that will somehow escape the marketing clutches of Datawatch and make itself available for download from "all the usual places". Er....my phraseology since Glenn has nothing but the kindest words for Datawatch, his employer. I'm not an employee of Datawatch and can not speak for them. I just await royalty checks and wait to see if my product pokes its head out of its marketing hole and gets scared by its own shadow.... Regards, Ross - - -- Ross M. Greenberg Virus Acres 914-586-2023 greenber@ramnet.com New Kingston, NY 12459 Fax: 914-586-2025 For info on RamNet: send mail to ramnet@ramnet.com DOS<==>UNIX autoreply ------------------------------ Date: Tue, 06 Dec 94 19:19:00 -0500 From: "Jimmy Kuo" Subject: Re: Happy birthday PC Virus. Please Help! (PC) Javier Vizcaino wrote: >I have been asked about a PC virus playing "Happy birthday" from >time to time, which resists detection (several antivirus dated >moreless mid 94). Does anyone know? There is a report of the following nature: You are supposed to contact the chip company to get this resolved. (Credit for this report goes to Jakub Kaminski, CYBEC.) [There are trojanized BIOS chips out there] The sticker on the trojanized BIOS chip says: AMIBIOS AMERICAN MEGATRENDS 486DX ISA BIOS (c) 1993 AB 3756612 The next three faulty chips (all with Flash ) had numbers (telephone report): AB 3756271 AB 3756631 AB 3738981 The one that suppossed to be clean is (telephone report): AB 3800510 So, it looks that there is at least 17650 trojanized systems around. The easiest way of identifying the trojan is: - change date to 13th of November (year doesn't matter) - reboot PC After displaying messages simmilar to the ones below, you'll here the tune. Cache in 2-Bank! 33.06x2 MHz CPU Clock Intel SL CPU Detected (stops and plays here) The significant ASCII strings inside BIOS area: F000:0060 Date:-04/04/93 (C) 1985-1993,AMI American Megatrends Inc.,All Rights Reserved... F000:2DFA M82C498 Evaluation BIOS v1.55 F000:8150 486 BIOS 5.00-2.1 F000:FF59 (C)1992AMI,404-263-8181 Jimmy Kuo Norton AntiVirus Research ------------------------------ End of VIRUS-L Digest [Volume 7 Issue 100] ******************************************