VIRUS-L Digest Tuesday, 20 Dec 1994 Volume 7 : Issue 101 Today's Topics: REQUEST: Any info (history, tall-tales) on viruses && hacking Re: CVIA -- does it still exist and how can I reach it? Re: Comments about MD5 Re: Mainframe Viruses? (IBM VM/CMS/etc) OS/2 Virus'? (OS/2) Re: OS/2 Virus Susceptability? (OS/2) Re: VCL?? (PC) TBAV sig file wanted (PC) GenB virus alert (PC) Re: Network Antivirus NLM's / need advise (PC) RE:re:DOOM II (PC) ThunderByte AntiVirus (PC) Traces of tequila with McAfee... (PC) Windows Virus (PC) SigAr PT <== anyone knows this virus? (PC) Re: memory scanning (PC) F-Prot on diskless workstations (PC) Re: GenB SOLVED! (PC) Re: Anti CMOS virus - help! (PC) Re: Can a master boot record be repaired? (PC) Re: Disabling TSRs (PC) Qk virus (not) on netware server (PC) Readiosys virus info requested (PC) Re: Network Antivirus NLM's / need advise (PC) Re: Can a virus spread like this? (PC) Re: Disabling TSRs (PC) Re: Problems with NYB GENB virus (PC) Re: PC drops out of Windows. Virus? (PC) Re: Boot sector virus won't die (PC) Question: Infection Misconceptions? (PC) Lyceum.930 virus (PC) Re: DOOM II (PC) Re: Boot sector virus won't die (PC) Re: Doom1.6bt and viruses? (PC) Bug report: NAV 3.0 (PC) Re: Boot sector virus won't die (PC) Re: Doom1.6bt and viruses? (PC) Re: Help, how to remove One_Half virus from MBS of hard disk? (PC) Re: Can a master boot record be repaired? (PC) Re: FORM virus on Doublespaced Drives (PC) What is the NYB virus? (PC) Re: InVircible (PC) About memory scanning (PC) Thunderbyte anti-virus v6.30 now available from SimTel (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CORSA.UCR.EDU (IP number 138.23.166.133) or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CORSA.UCR.EDU. Administrative mail (e.g., comments, suggestions, beer recipes) should be sent to me at: krvw@ASSIST.MIL. All submissions should be sent to: VIRUS-L@Lehigh.edu. Ken van Wyk ---------------------------------------------------------------------- Date: Wed, 07 Dec 94 05:15:16 -0500 From: ccjm@st-andrews.ac.uk (-Colin-) Subject: REQUEST: Any info (history, tall-tales) on viruses && hacking I have to give a talk on "Hacking serves a useful social purpose" soon, and am having a surprisingly hard time finding on line sources. Could anyone kindly point me in the direction of any archive stuff about viruses, hacking or anything at all even remotely related to them? I am desperate enough to read anything at the moment, and any horror stories or moments of triumph that you would care to share would be more than appreciated. Thanks in advance, -Colin- ------------------------------ Date: Wed, 07 Dec 94 09:48:00 -0500 From: frisk@complex.is (Fridrik Skulason) Subject: Re: CVIA -- does it still exist and how can I reach it? julian@panix.com (Julian Dibbell) writes: >I need some data on the antivirus industry for an article I'm writing for >_Wired_. Does anybody know if the Computer Virus Industry Association is >still in existence? CVIA ? Are you sure you don't mean AVPD ? As far as I know, CVIA never was a "real" organization - it was mostly just an extension of John McAfee....AVPT (Anti-Virus Product Developers) is, however an active organization. >Alternatively, if anyone has authoritative figures for the current size of >the antivirus industry (in $$$ sales), that might save me the phone call. I don't think that this information is available. - -frisk ------------------------------ Date: Wed, 07 Dec 94 18:37:32 -0500 From: Keith@kapeer.netcom.com Subject: Re: Comments about MD5 writes: > There are several people commenting that I should not be distributing > this data unless I am listed as an agent of the A-V software. And they are right. Security type information should only come from people directly involved with the product not third parties. Who does one believe the AV developer or a third party? Of course the developer, distributor, or authorzed agent. Not a third party! If one needs to verify a archive is authentic who does one contact? The nearest agent for the software. Not my friend down the block. > > I do not wish to be an agent for any A-V developer because other reports > would be in question "What's his angle? Are these values legitimate or You are trying to act as a clearing house for AV software. This type of information should ONLY be obtained from a party directly involved with it's distribution. > Here are a few points in favor of my CHK-SAFE reports. > [snip} > 3. MD5 is a cryptographicaly strong 128 bit one way Hash developed by > RSA Data Security, Inc. Users may use CHK-SAFE or any MD5 compatible > program they wish to verify authenticity. > 4. Some have suggested that I generate one Hash for the archive. Hacker. > 6. I post these Hash Values into 15+ virus conferences so the users can You are missing the WHOLE POINT! Quanity is not the issue! I could broad cast this to 100+ news groups with a couple of clicks of my mouse button. That does not mean it is authentic. [snip] You are missing the WHOLE POINT again MD5 is a strong hash but that is not the issue with your reports. It's where they are coming from. Antivirus software by nature is security software protecting the operations of PC's and verifying the authenticity of the files should ONLY be done by AV developers, distributors, authorized agents. People involved directly with the product. check integrity of A-V software on local BBSs. > > Not everyone can afford to call support BBSs to obtain A-V software. > > Stepping down from soapbox now. > Keith ------------------------------ From: James Harvey Subject: Re: Mainframe Viruses? (IBM VM/CMS/etc) gjw@tdc.dircon.co.uk (gjw) writes: > MVillegas writes: > >> Has anyone heard of an IBM mainframe virus? Do or have they >> existed? > > To expand on the above question, how common and dangerous are virus's > for platforms other than PC's. Just about every virus discussed in > this group seams to be PC (or more specifically DOS) based. Negligible. On multi-user systems with file system protection schemes, typically the some system administrator installs all system executables, and users do not have write access to them. Typically, system binaries are purchased from a reputable source or built from source code. This severely limits the opportunities for viruses to spread. Not having write access to the boot sector helps a lot too :-) Since the opportunities are so limited, no one bothers to write any. It is, of course, technically possible to write one, all you need to know is the format of executables, how they are loaded, and a gullible system administrator. > I know there are some Mac viruses but the common tools such as > GateKeeper seem to be effective in preventing them spreading. With PCs you can use file servers to protect executables from write access by users. Of course, their hard drives are still vulnerable. > Is this because DOS has an inherant weekness or just that there are > more DOS systems to infect. Both, actually. - -- James Harvey harvey@iupui.edu IUPUI IT Networks and Systems Disclaimer: These are my own opinions. I do not speak for Indiana University. ------------------------------ Date: Wed, 07 Dec 94 09:48:03 -0500 From: lrgray@ix.netcom.com (Lee Gray) Subject: OS/2 Virus'? (OS/2) A flyer from Central Point for their Anti-Virus for OS/2 came across my desk Wednesday and that prompted a healthy discussion on the dangers of OS/2 viri (sp?). First off, are there viri out there designed specifically for OS/2? If so, can somebody please supply names, etc... I have done a scan through my latest copy of VSUM and could not find any virus reference to OS/2. And, can OS/2 become infected by a virus? My manager claims that with the new memory mgmt. performed by OS/2 a virus cannot infect it. However, a virus can still infect the DOS/WINDOWS portion of OS/2. I agree with a virus infecting the DOS/WINDOWS portion of OS/2; however, I am not sure that a virus _cannot_ infect OS/2. Any comments pro / con? Thanks, Lee ------------------------------ Date: Wed, 07 Dec 94 20:38:25 -0500 From: kellogg@netcom.com (Lucas) Subject: Re: OS/2 Virus Susceptability? (OS/2) Moses A. Fridman (maf10@po.CWRU.Edu) wrote: : Does anyone know how DOS viruses such as Monkey would behave under OS/2? : Does anyone know of native OS/2 viruses, or virus scanners? Boot sector viruses such as the Monkey, can indeed write themselves to a hard disk in which OS/2 is installed. The common scenario would be a user leaving an infected data disk in the A drive, and then powering up the system. One requirement....the computer MUST be a PC. The virus will then use the system BIOS routines to write itself to the hard disk. Now, on subsequent boots from the hard disk, one of two things will occur depending on the original partitioning of this disk: either the operating system will be corrupted, or the virus will load, and then will be disabled when OS/2 loads. DOS based viruses cannot survive within other OS's; however, Boot sector viruses that use the BIOS routines to infect hard disks will write them- selves to any disk if the hardware is a PC, regardless of the OS. This has occured on UNIX and Windows NT workstations as well as OS/2. Hardware is the key under the scenario described above. I hope this little tidbit helps, Kd Lucas ------------------------------ Date: Tue, 06 Dec 94 20:09:08 -0500 From: datadec@cs.UCR.EDU (Kevin Marcus) Subject: Re: VCL?? (PC) Nick FitzGerald wrote: >> FireCracker, NuKE > >I've asked Ken whether postings from people like this really should be >accepted. Of course they should. Why wouldn't they be? He didn't post up anything on "here is my latest virus for you all to run." It's beneficial for people to see both sides of the story, don't you think? - -- - --> Kevin Marcus, Computer Science Dept., University of California, Riverside Email: datadec@cs.ucr.edu. * * * T H I E V E S S U C K * * * * * * T H I E V E S S U C K * * * ------------------------------ Date: Tue, 06 Dec 94 21:22:03 -0500 From: sinclaij@stanilite.com.au (UL ENG) Subject: TBAV sig file wanted (PC) I have the latest copy of ThunderByte antivirus but the last official signature file I can find is may 93. Is this the last one or are there later ones out there. Has someone been maintaining their own? Can someone tell me if I can can a later version and where? Thanks ___ (o o) - ------------------------------ooO-(_)-Ooo---------------------------------- Jeff Sinclair | Stanilite Electronics Pty. Ltd. | Engineering Division .-_|\ telephone: +61 9 244 4644 x127 | 18 Hasler Road / \ facsimile: +61 9 445 1988 | Osborne Pk. WA 6017. *_.-._/ e-mail: jeff@asgard.dialix.oz.au | Australia v sinclaij@stanilite.com.au | - ---------------------------------------------------------------------------- ------------------------------ Date: Tue, 06 Dec 94 21:45:56 -0500 From: vallie@ripco.com (Vallie Henry) Subject: GenB virus alert (PC) I have have cleaned sometimes cleaned Genb with the Mcaffree clean and i get the prompt that the virus has been removed, but when i rescan, the disk sometimes shows as still infected. Or the origianl boot sector cannot be found. It sometimes helps to load the system with the dos sys command. As i understand this writes something (the system) in the boot sector writing over where a virsu remnant my still exist. - -- _ _____ _ ' ) / // ( / __. // \/ (_/|_From: kloeppej@ccmail.orst.edu (John Kloepper) >Subject: Network Antivirus NLM's / need advise (PC) >Date: 5 Dec 1994 11:13:55 -0000 >We are currently looking into antivirus NLM's to run on our Novell servers. >To date all i've been able to find is netshld from McAfee. Can any one >provide information on other options or an opinion on netshld? A couple of commercial ones I can think of are Cheyenne's Inoculan and Intel's Virus Protect. - ----------------------------- Tan Sen Teck Institute of Systems Science National U. of Singapore Internet: senteck@iss.nus.sg ------------------------------ Date: Tue, 06 Dec 94 23:02:36 -0500 From: horrock@aol.com (Horrock) Subject: RE:re:DOOM II (PC) BTW, there are and have been Software Companies, including MicroSoft and Lotus, which have shipped virus infected products. So yes...I know Software Companies, even the best, have screwed up and shipped infected software. Therefore your point is not made here. But I do agree hardware does break, and bad programming does exist, and that management types and other morons jump on the virus band wagon unfairly, acting out of their stupidity. ------------------------------ Date: Tue, 06 Dec 94 23:31:09 -0500 From: sinclaij@stanilite.com.au (UL ENG) Subject: ThunderByte AntiVirus (PC) I have the latest copy of ThunderByte antivirus but the last official signature file I can find is may 93. Is this the last one or are there later ones out there. Has someone been maintaining their own? Can someone tell me if I can can a later version and where? Thanks ___ (o o) - ------------------------------ooO-(_)-Ooo---------------------------------- Jeff Sinclair | Stanilite Electronics Pty. Ltd. | Engineering Division .-_|\ telephone: +61 9 244 4644 x127 | 18 Hasler Road / \ facsimile: +61 9 445 1988 | Osborne Pk. WA 6017. *_.-._/ e-mail: jeff@asgard.dialix.oz.au | Australia v sinclaij@stanilite.com.au | - ---------------------------------------------------------------------------- ------------------------------ Date: Wed, 07 Dec 94 00:00:35 -0500 From: palmer@cactus.texas.net (Doug Palmer) Subject: Traces of tequila with McAfee... (PC) We have one system which reports "traces of the tequila virus found in memory" after booting from the HD, but not from clean floppy. This is with the latest McAfee we could find on the net (don't have the specific version handy, but I can get it). F-Prot 2.15 reports no problem, as does CPAV. Any chance this is a false positive? Appreciate any help. Douglas Palmer palmer@jud.fed.us - -- _ Doug Palmer |"I believe in Christianity as I _| ~- Internet: palmer@texas.net | believe that the sun has risen, \, _} CourtNews: palmer@jud.fed.us | not only because I see it, but \( Fidonet: 1:387/31 (1:387/0) | because by it, I see all else." ~ ------------------------------ Date: Wed, 07 Dec 94 00:59:25 -0500 From: dannyman@ripco.com (Dan Howard) Subject: Windows Virus (PC) I am posting this for a friend. I do not know the group rules here please email him any relevant information ... >From CUNNSEA@minna.acc.iit.edu Tue Dec 6 23:54:55 1994 Date: Tue, 06 Dec 1994 23:32:07 -0500 (CDT) From: SEAN CUNNEEN To: dannyman@ripco.com The form virus is wreaking havoc here on any computer running windows, know anything about it? My mom also got it on her computer at work and it infected the whole office. SEAN CUNNEEN cunnsea@minna.acc.iit.edu I thank you for your patience and understanding. :) - -- =====///===================================================================== >>>>///>>>>>>>This message brought to you by dannyman@ripco.com<<<<<<<<<<<<<< \\\///A1200================================================================== \XX/ Wanna lot of stupid forwarded email? Let me know. :) ------------------------------ Date: Wed, 07 Dec 94 01:22:52 -0500 From: ka-pui@cae.wisc.edu (Ka-pui Ko) Subject: SigAr PT <== anyone knows this virus? (PC) It prevents me form running Windows, please respond if know the way to kill it. Strange that only "MSAV.EXE" from dos 6.2 detects it. Please help! kevin ------------------------------ Date: Wed, 07 Dec 94 02:07:48 -0500 From: "Frans Veldman" Subject: Re: memory scanning (PC) Iolo Davidson wrote: > > And further to that, whatever Thunderbyte is designed to do, > the actual performance under test conditions showed that it did > not cope sensibly with viruses in memory. Whether you think this As it appears that you are still unable to get my point, let's try it again. TBAV is a very bad text processor. Some other Anti-Virus products have a very nice text processor to type in your signatures. The point is, TBAV is not designed to have a full fledged text processor, since we, developers of TBAV, considered it not to be an important necessary component of an anti-virus product. The lack of a word processor doesn't mean however that TBAV is a bad product. The same applies to memory scanning. For some reason you consider memory scanning as a necessary component of an anti-virus product. We have tried and failed to explain you that locating viruses in memory is and has never been the goal of anti-virus products, but an aid to achieve the real goal of anti-virus products: detecting viruses on disks. If a product is capable reaching that goal by using different methods, than it should not get a penalty for not using a specific aid. In our opinion, the test should have been designed as follows: 1) Load a stealth virus in memory. 2) Infect a dozen files. 3) Execute the scanner (with the virus still in memory). There are three results possible: a) The scanner is still able to point out which files are infected. Since the scanner doesn't get disturbed by the stealth virus, it reaches it goal, and the result should be considered as 'positive'. b) The scanner is not able to detect the infected files because of the stealth virus, but instead notices this potential dangerous situation by detecting the virus in memory. In this case the result is also 'positive'. c) The scanner fails to detect all viruses on disk but also fails to detect the virus in memory. The result is 'negative'. The article we are currently discussing didn't consider situation 'a)' at all, and showed a negative result for those products which were actually able to handle the situation properly. The main problem of this test was the failure to see that memory scanning is just an aid, and they considered memory scanning as a goal by itself. The real problem however was not the test, but your reaction here. Someone asked: Is TBAV a good product. Your answer: We did a test on memory scanning, and TBAV was the worst product tested. Some people here understand that: 1) Memory scanning is not the main component of scanners and therefore shouldn't be used to judge a whole product. 2) Showing this information here WITHOUT my comments on it doesn't reflect the original article. 3) This answer just irritates me. 4) Reviewers should not comment on products when they are 'off-duty'. Let me explain the latter point more detailed. When someone asks in a public forum how good "SCAN" is, it would be very unethical and unprofessional if *I*, TBAV developer, would answer this question. I know a lot about viruses and anti-virus products, so I would be very qualified to answer this question, and there wouldn't be a law against it, but it would just be unethical. Suppose what we would get if Paul Robinson, Richard Ford, an author of PC magazine, etc. all would answer "which product is good" questions in this forum? You would create a lot of confusion and a lot of enemies. Furthermore, it would trigger a lot of comments from AV developers who simply wouldn't agree. Furthermore, if I submit a product for testing purposes for Secure Computing, I expect to see an article in Secure Computing, but I don't expect an employee of Secure Computing to run away with all information and use it wherever he thinks it applies. > When designing technical tests, we have to use our own expert > judgement as to what aspects to include in the testing. And we > *are* experts in this field. We cannot allow the software > producers to dictate test conditions, because they will all want > us to test the things they are good at and ignore the areas in > blah blah. I have seen similar statements from Patricia Hoffman, Doren Rosenthall, Bill Lambdin and a dozen others. They all claim that THEY are the experts, and that they don't need to listen to the AV developers. YES!!!! Of course you have to listen to the developers! They are the only one with practical experience in the field, they KNOW why they have choosen a specific solution, and they KNOW how their products should be tested! We have had a similar situation with 'fake viruses' designed to test anti-virus products, which seemed a good idea, until the DEVELOPERS explain HOW their scanners work, and why testing their products with random signatures does not work. A reviewer may know how a virus works, but is NOT an expert. He hasn't have to answer support calls from users for several years. He hasn't experienced compatibility problems with the design of anti-virus products. He doesn't know how bad some solutions perform in the real world. He doesn't know how the anti-virus products work internally. Recently I had a discussion with a reviewer who wants to test checksummers. He intended to make random changes to files, to test whether anti-virus products would detect the changes. After I explained them that our product tries to distinguish between changes which are the result of an infection and changes that are the result of configuration changes, he understood that he should use real viruses for this test, and not randomly change files as this would result in a penalty for the smarter products. As a reviewer, you have to listen to the developers, and judge this input for validity and adapt your tests where applicable. If you make a mistake, AV developers will jump on you. If you don't like that, you should not try to play a dominant position in this field. - -- Thunderbye, Frans Veldman <*** PGP public key available on request ***> Frans Veldman Phone (ESaSS) + 31 - 80 787 881 veldman@esass.iaf.nl Fax (ESaSS) + 31 - 80 789 186 2:280/200.0@fidonet Fax (VirLab) + 31 - 59 182 714 ------------------------------ Date: Wed, 07 Dec 94 04:52:35 -0500 From: ccbb@kudu.ru.ac.za (Mr BT Bonnevie) Subject: F-Prot on diskless workstations (PC) Hi I recently posted the following message to this news group, but fear it may not have reached anyone! We did have some problems with our system here at the time: > Hi > I would like to use VirStop (the TSR virus stopper that comes with F-Prot) on > our diskless workstations. I have created a bootimage that loads Virstop > just before loading the netx Netware shell and this works. When you log > onto the Novell server, however, Virstops continuously looks for a floppy > disk in the a: drive and this significantly reduces the performance of the > workstation. > > Does anybody know of a way of solving this problem? I have now worked a bit further on the problem and realise that it does not matter how I load virstop on a Diskless (i.e. no hard disk) workstation, virstop will always do seeks to the a: drive. Even after I am logged in and load virstop from a network drive; f:\login\virstop.exe (I have tried /noboot /nocopy /nowarm and combinations) The problem persists. I believe this is not an unexpected problem as other virus protection schemes provide a /nodisk switch to overcome this exact problem. I have contacted the local technical support here, but they have not been able to help yet. Any ideas? Kind regards Bo - ----------- Bo Bonnevie e-mail: ccbb@kudu.ru.ac.za Computer Services, Rhodes University, Grahamstown, 6140, South Africa ===================================================================== - -- - ----------- Bo Bonnevie e-mail: ccbb@kudu.ru.ac.za Computer Services, Rhodes University, Grahamstown, 6140, South Africa ===================================================================== ------------------------------ Date: Wed, 07 Dec 94 08:28:42 -0500 From: sbringer@netcom.com (John Constantine) Subject: Re: GenB SOLVED! (PC) youngcr@gvsu.edu wrote: : I had a friend who's computer was infected with it and we killed it without : loosing any data at all. The first thing you have to do is to pull the batery : off of the mother board. Then you have to have a CLEAN startup disk to work : with. Boot the computer using the disk and use FDISK /MBR. I don't know if : you have all heard of the origin of mass distribution of this lovely virus, : but you can thank a company named Bikealog. Don't get me wrong, they are : still a good company, they just need to check for viruses before sending out : their disks. erm.... glad you solved the problem, but I hardly see how pulling the battery off the mother board helps..... seems a bit extreme for such a simple virus as one detected my McAfee as [GENB] usually tends to be.... btw - GENB is not a particular virus, it is one of many that McAfee hasn't bothered to identify specifically in SCAN.EXE. Also, be careful with using the MBR trick, as it will cause problems in cases where the partition table is moved and/or encrypted, such as was the case with Stoned.Empire.Monkey. MY recommendation would be to get a scanner that can properly identify the virus, and only use the fix you explained (minus the battery and motherboard part) as a last ditch attempt, or find someone that can analyse any "unscannable" viruses you run into in the future to make sure the fdisk technique is safe. Cheers, Stormbringer, Phalcon/SKISM a.k.a. John Constantine ------------------------------ Date: Wed, 07 Dec 94 09:55:23 -0500 From: frisk@complex.is (Fridrik Skulason) Subject: Re: Anti CMOS virus - help! (PC) ajmor5@giaec.cc.monash.edu.au (Andrew Morrissey) writes: >So if it infects the hard drive.... well... maybe this is the only >way to go, unless there is other methods? *sigh* FORMATTING IS _NEVER_ NECESSARY TO GET RID OF A VIRUS FROM THE HARD DISK I guess it's time to post the note below again.... - ----------------------------------------------------------------------------- Frisk Software International - Technical note #8 Generic boot sector disinfection Although F-PROT is usually up-to-date with respect to virus detection and disinfection, there are occasional cases of a virus infecting a machine before we have implemented disinfection of that particular virus. The instructions below describe a "generic" method for the removal of boot sector viruses. If the virus infects the Master (Partition) boot sector. Create a bootable system diskette on a different (clean) machine, that is running DOS 5 or 6, with the FORMAT /S or "SYS" commands. You cannot use DOS 4 or older for this purpose. Copy the file FDISK.EXE to that diskette and write-protect it. Boot the infected machine with this diskette - do not rely on just pressing Ctrl-Alt-Del...press the Reset button or turn the machine off and then back on. Check if you are able to access all partitions on the hard disk normally. If they are not recognized, it might be because the virus encrypts the partition data or overwrites it....in this case the generic disinfection method described below is not possible. One method which will often work in that case is to wipe out the MBR with a disk editor, and then run NDD and tell it to recover the lost partitions. My favourite tool for this purpose is NDD version 4.5. However, you should make a backup copy of the (infected) MBR first - if you don't know how to do that, you probably should not be fiddling with the MBR anyhow. If you can access C: and other partitions, give the command FDISK /MBR. This will overwrite the code part of the MBR - in effect "killing" the virus. (note: if you are using Novell DOS 7.0, you need to select this option from the menu, not give a command-line switch). Reboot the machine normally from the hard disk. If the virus infects the DOS boot sector: Create a bootable system diskette on a different (clean) machine, that is running exactly the same version of DOS as the infected machine. COPY the SYS.COM file from the DOS directory to the diskette and write- protect it. Boot from the diskette and give the command SYS C: In addition to copying the system files over (which is not necessary to remove the virus), this will overwrite the DOS boot sector with "clean" code, killing the virus. - -frisk Fridrik Skulason Frisk Software International phone: +354-1-617273 Author of F-PROT E-mail: frisk@complex.is fax: +354-1-617274 ------------------------------ Date: Wed, 07 Dec 94 10:02:44 -0500 From: frisk@complex.is (Fridrik Skulason) Subject: Re: Can a master boot record be repaired? (PC) iolo@mist.demon.co.uk (Iolo Davidson) writes: >I have heard of an ANSI bomb which launched a virus, ie. loaded >it into memory and executed it. A small correction - a slight human assistance is necessary - the user pust press ENTER or something like that after typing the file, but yes, this is indeed possible. - -frisk ------------------------------ Date: Wed, 07 Dec 94 10:07:39 -0500 From: frisk@complex.is (Fridrik Skulason) Subject: Re: Disabling TSRs (PC) jrice@pluto.pomona.claremont.edu (Jeffrey Rice) writes: >detect the virus. My question: How easy is this to do? Are TSRs like >Vshield and Virstop still secure, or will major changes have to take place to >prevent such an attack? Well, consider the following. A virus that is "known" to the TSR will be stopped by it, before it gets a chance to disable the it (unless it is launched from a "dropper" program). In this case you don't have a problem. A brand new virus does not have to disable the TSR to bypass it - the TSR will not be able to recognize it anyhow. However, this would only cause a security problem, if the system got later infected by a different virus, which would then be able to spread unnoticed. The chances of this happening are fairly low. - -frisk Fridrik Skulason Frisk Software International phone: +354-1-617273 Author of F-PROT E-mail: frisk@complex.is fax: +354-1-617274 ------------------------------ Date: Wed, 07 Dec 94 10:10:34 -0500 From: jlmcad01@homer.louisville.edu (Jeff McAdams (J McA)) Subject: Qk virus (not) on netware server (PC) Ok, here's the situation. We had several computers in our lab start reporting the Qk virus on server volumes (this comes from McAfee's virshld, latest version). I ran McAfee's scan over the whole server volume and found nothing from my Supervisor access account. What we THINK has happened is that some of the PC hard drives have been infected, and somehow the virus is causing virshld to think that nearly any executable program is infected, so it is reporting the virus on network drives. We have found that formatting the hard drives and reinstalling everything eliminates the problem, but I'm the curious (anal) type that wants to know what exactly is happening. This isn't a great problem for us as we have a network based program that automagically formats and reinstalls all our software on the PC hard drives, but like I said, I want to know what is happening. If anyone has any information on this, I would appreciate some help as to what is going on. I have just subscribed to this newsgroup, so I apologize if this is a FAQ, but I will stay subscribed for at least a period of time to catch any answers posted. Thanks for you help. Jeff McAdams, Supervisor Computing Centers, University of Louisiville ------------------------------ Date: Wed, 07 Dec 94 11:51:30 -0500 From: Craig Gardner Subject: Readiosys virus info requested (PC) I have searched the Net (using WEB searches and Veronica searches) for information concerning the READIOSYS virus. I've also searched this newsgroup and other newsgroups. So far I have not yet found any information about this particular virus. Any information you may have about the virus called READIOSYS would be greatly appreciated. Thank you. _______________________________________________________ Craig Gardner Computing Systems Administrator Craig_Gardner@byu.edu BYU - College of Nursing ------------------------------ Date: Wed, 07 Dec 94 11:53:22 -0500 From: agentry@uga.cc.uga.edu (Anna Gentry) Subject: Re: Network Antivirus NLM's / need advise (PC) kloeppej@ccmail.orst.edu (John Kloepper) wrote: > > We are currently looking into antivirus NLM's to run on our Novell servers. > To date all i've been able to find is netshld from McAfee. Can any one > provide information on other options or an opinion on netshld? John, Same here! I've just taken over a project looking into finding a best fit for our public access Novell networks. The concern I have is with TSR's. We're running pretty tight on memory as it is and I need to find an anti-virus program that will catch and clean a wide variety of viruses including stealth viruses, with a not too exorbitant pricetag, good support, and will allow us to run applications such as WP 6.0 and, in the not-so-distant future, Windows. I've heard good things about Thunderbyte, F-Protect, and Solomon's Anti-Virus Toolkit. I could use some good observations/recommendations. Anna ------------------------------ Date: Wed, 07 Dec 94 12:21:34 -0500 From: dhusson@novell.business.uwo.ca Subject: Re: Can a virus spread like this? (PC) Iolo Davidson writes: >From: Iolo Davidson >Subject: Can a virus spread like this? (PC) >Date: 6 Dec 1994 16:29:26 -0000 > bartlett@io.org "Brendan Bartlett" writes: >> - Anyway, simply putting your floppy disk in a known infected >> machine (lets say with the Boot 437 virus) typing DIR (ok, >> now the disk can be infected my a memory resident virus) and then >> going over to a clean machine and typing DIR on that machine doesn't >> infect that machine, right? >The hard disk of the clean machine will not be infected just by >DIRing an infected floppy. However, some anti-virus software >will claim to find the virus in memory, because the boot sector >will have been read into a DOS buffer. No, it isn't active, >hasn't been executed, and there is no mechanism to execute it or >give it control, but it is in memory, technically. >Most anti-virus software does not report viruses as "in memory" >if they are in a DOS buffer, but those that do can be a source of >confusion as to whether a DIR can get you infected. Doing a dir of an infected floppy will laod the virus into memory in the case of the ANTIEXE and STONED.HENGE. The Viruscan software picks this up. If you write a file to your hard disk, the hard disk does become infected. ------------------------------ Date: Wed, 07 Dec 94 12:32:51 -0500 From: padgett@goat.orl.mmc.com (Padgett 0sirius) Subject: Re: Disabling TSRs (PC) Jeffrey Rice writes: > I've noticed when I run McAfee's Scan it informs me that Vshield is >being disabled during the scan. >According to the article, a retrovirus could use this to disable the >intercept in such a way that it was either non-functional, or simply could > not detect the virus. My question: How easy is this to do? Are TSRs >like Vshield and Virstop still secure, or will major changes have to take >place to prevent such an attack? Can only speak for myself, but since the first released version (1990) my DiskSecure has included a separate program (originally CHKSEC and currently DS2CHK) that when executed will check to see if DiskSecure is still in control and will return a series of errorlevels depending on what it finds. Among other things, DS2CHK will simulate an attack and make sure that it is trapped. After a number of conversations I had with M & Co. VSHIELD received a similar companion program, CHKSHLD but since I did not write it, do not know exectly what it does. The point is that only an external program can properly assess whether or not a loaded TSR is working properly since *any* software, once loaded, can be subverted by something that runs after it - is just the nature of the PC. Thus a virus can always (if intelligent enough) bypass a known TSR, however by the same rule, a later program (if intelligent enough) can always determine if the TSR was bypassed. Multi-layered approaches are best. A. Padgett Peterson, P.E. Cybernetic Psychophysicist We also walk dogs PGP 2.7 Public Key Available ------------------------------ Date: Wed, 07 Dec 94 13:00:24 -0500 From: woloshin@emr1.emr.ca (Dale Woloshin) Subject: Re: Problems with NYB GENB virus (PC) JOHANNA B. LIZARDI (jlizardi@osf1.gmu.edu) wrote: : I am a student and also work at George Mason University. We : have had a recent outbreak of the NYB genb virus. Our V117 version of : McAfee VShield would not lock up the computers once infected with the : virus. We were told that it was a new genb virus, and the software : could not shield nor clean it. We have gotten the latest version of We have been hit with a Generic Boot [Genb] virus as reported by McAfee 1.17 It infected four computers and numerous floppies. All were successfully cleaned using FDISK /MBR for the computers and a manual rewriting of the floppies. McAfee's Clean, when used on the floppies, did not work, at least the first time, so I used debug to clear the virus from floppies, before copying necessary files and reformatting the floppies using the /u parameter. * Note that in the above cases the viruses were caught and eradicated on or before December 5, 1994. * Just after midnight beginning December 6, 1994, a student who I suspected had the virus (he was the unwitting agent of transmittal between a university computer lab and the government department where I work) turned on his computer system, and immediately hung. It appears that both the partition table and at least one of the FATs were destroyed. FDISK showed a very oddly partitioned hard drive that did not correspond at all with what he had, and in the end, he could not rebuild the partition table and FATs, and had to repartition and reformat, which cleared up all traces of the virus. I don't know yet whether the found virus activates on Dec 6, as appears suspicious, or if it was something else the person did. I have a copy on floppy and hope to figure it out at some point--fortunately the person who lost everything had his essentials backed up. Dale. ------------------------------ Date: Wed, 07 Dec 94 13:40:30 -0500 From: cpcallen@undergrad.math.uwaterloo.ca (Christopher Allen) Subject: Re: PC drops out of Windows. Virus? (PC) wrote (quoting someone else at first): >> I've been having trouble with the PC's (80+) at my company. Users have >> been complaining that they'll be in Windows, and while idle, it will drop >> out to the DOS prompt. They have not noticed any lost or corrupted files. >> I occasionally bring files home, and now I seem to have the same problem >> on my PC at home. >> MS Anti-virus doesn't find anything. Is this a new virus? If so, how can >> I get rid of it? I'd appreciate any response! >> >I haven't had this problem myself, but I suggest using an up-to-date virus >scanner - even if your using the MS-DOS 6.22 anti-virus program, it's AT LEAST >6 months out-of-date (probably more, if Microsoft didn't update their virus >list). You should try NAV 3.0 with an updated virus list (off >FTP.SYMANTEC.COM) or a shareware product like F-PROT or SCAN. > >If it's a new virus strain, you'll need as new a virus scanner as you can get. A friend had the same problem. We scanned his computer using all the ususal scanners, including fprot and mcAfee's, to no avail. I don't think there was a virus there, but I don't know. Interstingly, the problem stopped when he upgraded from win3.1 to the new Windows for Workgroups. - -- +-- Christopher Allen -----------------------+ .-===""===- c==== . |email: cpcallen@undergrad.math.uwaterloo.ca | . \ \____}} |snail: Christopher Allen, N2L 3G6 | . * @====-' . +--------------------------------------------+ . * ------------------------------ Date: Wed, 07 Dec 94 13:54:41 -0500 From: mwarchut@titan.ucs.umass.edu (Michael Warchut) Subject: Re: Boot sector virus won't die (PC) : Just a quick question about booting from a clean disk, will booting : up and pressing F5 on bootup (to bypass a lot of stuff) mean booting : clean? My guess is that it won't because it still has to load : command.com, and if it is infected, this won't help. But if the virus : is in, say, emm386.exe, then this will bypass it. Am I right here? A clean diskette is one that is certified to be completely free from virii and has been write protected so that it can't be infected. F5 just bypasses some files in autoexec and config.sys, but most virii come from the boot sector or command.com which are still loaded with F5. ------------------------------ Date: Wed, 07 Dec 94 14:11:23 -0500 From: moylek@mcmaster.ca (Kenneth Moyle) Subject: Question: Infection Misconceptions? (PC) I hope that someone with more intimate knowledge of viruses than I can cofirm a couple of things for me. First: MS-DOS viruses cannot survive a warm boot. Second: Boot-sector viruses on a diskette can only infect a pc if the diskette is booted from (whether the boot was sucessful or not; i.e. whether it had the system files or not). Are these statements correct? Correct but for a few caveats? Thanks.... ....Kenneth Moyle ------------------------------ Date: Wed, 07 Dec 94 15:51:31 -0500 From: pirot@socrates.ceid.upatras.gr (Pete Pirot) Subject: Lyceum.930 virus (PC) I was infected by virus Lyceum.930 I'm using scan of Mcafee but the virus cannot be safely removed Since I have no back-up files of my infected files I would appreciate any help in order to remove this virus safely. Please answer..... ------------------------------ Date: Wed, 07 Dec 94 16:03:01 -0500 From: charles.m.robinson@medtronic.com (Charles M. Robinson) Subject: Re: DOOM II (PC) Paul McDonough (mcdonoup@coral.indstate.edu) wrote: >>Norton AntiVirus Research >Once again, it needs to be said. >DoomII is not distributed in a shareware version. >Viruses occur when people use "borrowed" versions of the program. For >the benefit of our listening audience, Do you really think a software >company would be lax in virus monitoring (let alone intentionally >place on there???). Come on people, hardware problems occur. It's easy to >blame it on a virus. Also, if you are going to use software from >an "alternate source", be smart enough to use a scanning routine that you >know works. It has happened in the past that companies have distributed viruses on their software diskettes. While rare, it's not impossible. I remember some Netware print-server software from Intel having this problem about 5-6 years ago. Agreed, though, that if you're getting software from any "less than reputable" sources, scanning the stuff should be part of your regular routine. However, just 'cos it's shrink-wrapped doesn't make it a guaranteed clean disk! +-----------------------------------------+-------------------------------+ | Charles Robinson Mpls, Minnesota | "You can't have everything... | | email: charles.robinson@medtronic.com | where would you put it?" | +-----------------------------------------+-------------------------------+ ------------------------------ Date: Wed, 07 Dec 94 16:11:38 -0500 From: charles.m.robinson@medtronic.com (Charles M. Robinson) Subject: Re: Boot sector virus won't die (PC) Andrew Morrissey (ajmor5@giaec.cc.monash.edu.au) wrote: >Just a quick question about booting from a clean disk, will booting >up and pressing F5 on bootup (to bypass a lot of stuff) mean booting >clean? My guess is that it won't because it still has to load >command.com, and if it is infected, this won't help. But if the virus >is in, say, emm386.exe, then this will bypass it. Am I right here? No. If the virus is in your boot sector, the code will be loaded before ANY of the operating system (right?). You need to have a completely different, clean disk or diskette from which to boot. +-----------------------------------------+-------------------------------+ | Charles Robinson Mpls, Minnesota | "You can't have everything... | | email: charles.robinson@medtronic.com | where would you put it?" | +-----------------------------------------+-------------------------------+ ------------------------------ Date: Wed, 07 Dec 94 18:02:38 -0500 From: James.Linn@nt.com Subject: Re: Doom1.6bt and viruses? (PC) dmj@panix.com () wrote: > > Well, my the other day I started my PC and it would not boot up. So I > called a tech we use and he took it to his shop and reported that the > chip was blown and that the hard drive was no good. Perhaps, there is no > connection here, but were there any viruses out there linked to the > Doom1.6bt version. Can a virus destroy a PC's chip? and destory a disk > beyond repair via reformatting? BTW my PC had 486DX-33 without a fan > cooling the chip (just one fan for the power supply). > > I'de be very dubious about this tech. It would be highly unusual to have a hard disk and CPU fail at the same time. A virus can infect and effect software. A chip isn't software, and a hard disk isn't either - it contains software, but that software can be erased, and the disk remains the same. A power surge can kill a hard drive - fairly rare but it happens. A processor chip is usually fairly indestructable, but if it gets too hot it can fry. You didn't have a virus, you had one or two hardware problems. But I'd keep the parts just the same. If this was under warranty and the repairs were free thats one thing. But if you pay for parts and/or labour, I'd be worried about your tech and truthfullness. Regards James.Linn@nt.com My opinions are MINE,MINE, MINE. ------------------------------ Date: Wed, 07 Dec 94 18:32:52 -0500 From: an448@freenet.carleton.ca (Yves Bellefeuille) Subject: Bug report: NAV 3.0 (PC) Bug report: Using Norton Anti-Virus 3.0 to scan a directory or your entire disk may cause files to be improperly deleted. This bug seems to appear in the following circumstances: - - NAV is set to scan "Within Compressed Files" (in the Tools menu, under Options); - - temporary files are redirected to a RAM drive; and - - a directory contains both a PKZip archive and the (unzipped) files it contains, i.e. the zipped files were extracted to the same directory as the archive. NAV apparently scans the zipped files by extracting them to a RAM drive, scanning them, and then deleting them. Using a RAM drive speeds up the procedure, even when using a cache. NAV apparently gets confused if the PKZip archive is in the same directory as the unzipped files: it sometimes deletes not only the files it has just extracted to the RAM drive but also the unzipped files on the hard drive. I can consistently reproduce this bug by scanning the shareware program Top Draw v2.0 (30 June 1994) by Top Draw Software. Interestingly, the bug seems to depend on the size of the RAM drive. With a 768-byte RAM drive, the file TOPDRAW.EXE is deleted. With a 512-byte RAM drive, the files TOPDRAW.EXE and TOPDRAW.HLP are deleted. I should emphasize that NAV does not report that these files are infected or suspicious, nor have I configured NAV to automatically delete suspicious files. I'm using MS-DOS 6.2 and Norton Anti-Virus 3.0 with a patch dated 23 June 1994 and the latest virus definition files (December 1994). I'm scanning under DOS, not in Windows. - -- Yves Bellefeuille, Ottawa, Canada an448@freenet.carleton.ca (finger here for PGP key) ua294@fim.uni-erlangen.de ------------------------------ Date: Wed, 07 Dec 94 19:30:21 -0500 From: jmccarty@spd.dsccc.com (Mike McCarty) Subject: Re: Boot sector virus won't die (PC) Andrew Morrissey wrote: )hiwire@solomon.technet.sg (Lim Beng Cheng) writes: ) )>I believe your problem could be that you didi not boot up from a clean )>disk. The correct procedure is to boot from a clean system disk with the )>same DOS version (write-protect your diskette). Then type ) )Just a quick question about booting from a clean disk, will booting )up and pressing F5 on bootup (to bypass a lot of stuff) mean booting )clean? My guess is that it won't because it still has to load )command.com, and if it is infected, this won't help. But if the virus )is in, say, emm386.exe, then this will bypass it. Am I right here? It will not help -at all- against boot sector (and MBR) infectors. Mike - ---- char *p="char *p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);} ------------------------------ Date: Wed, 07 Dec 94 19:32:15 -0500 From: jmccarty@spd.dsccc.com (Mike McCarty) Subject: Re: Doom1.6bt and viruses? (PC) wrote: )Well, my the other day I started my PC and it would not boot up. So I )called a tech we use and he took it to his shop and reported that the )chip was blown and that the hard drive was no good. Perhaps, there is no )connection here, but were there any viruses out there linked to the )Doom1.6bt version. Can a virus destroy a PC's chip? and destory a disk )beyond repair via reformatting? BTW my PC had 486DX-33 without a fan )cooling the chip (just one fan for the power supply). I won't say it is -impossible- that software blew out your controller (I suppose anything is -possible-), but likely? Nah, you had a hardware problem. Mike - ---- char *p="char *p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);} ------------------------------ Date: Wed, 07 Dec 94 19:33:13 -0500 From: jmccarty@spd.dsccc.com (Mike McCarty) Subject: Re: Help, how to remove One_Half virus from MBS of hard disk? (PC) Cailong Bao wrote: )Hi, netter: ) )My computer is infected by One_Half virus. I used f-prot to scan the hard )disk and can remove the files infected by this virus. But f-prot can not )remove it from MBS of hard disk. Can anybody tell me how to remove it from )MBS of hard disk? ) )Thanks in advance ) )Cailong Are you sure it isn't the MBR of the hard disc? Mike - ---- char *p="char *p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);} ------------------------------ Date: Wed, 07 Dec 94 19:35:06 -0500 From: jmccarty@spd.dsccc.com (Mike McCarty) Subject: Re: Can a master boot record be repaired? (PC) Iolo Davidson wrote: ) jmccarty@spd.dsccc.com "Mike McCarty" writes: ) )> I know that ANSI bombs exist, and have also heard of (but not )> experienced) them being put in the PKZIP banner. But I have never )> heard of an ANSI bomb which caused a virus to be created. ) )I have heard of an ANSI bomb which launched a virus, ie. loaded )it into memory and executed it. The body of the virus was in the )file containing the ANSI bomb, and the whole thing happened when )you typed the file. The virus then infected files as an ordinary )memory resident file virus. ) )I haven't had this thing in my own hands, but the person who told )me about it is extremely reliable. In other words, it happened to a FOAF. Is this perhaps an urban legend in the making? Who knows. I'm a little skeptical, but willing to suspend judgement on this one. Mike - ---- char *p="char *p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);} ------------------------------ Date: Wed, 07 Dec 94 20:01:52 -0500 From: kellogg@netcom.com (Lucas) Subject: Re: FORM virus on Doublespaced Drives (PC) Steve W. Taylor (misswt@leeds-metropolitan.ac.uk) wrote: : Has anyone had any experience of getting rid of the FORM virus on MSDOS 6.2 : Doublespaced drives? Clean on NAV, DrSolomon etc. fails. Our only solution : is to reformat. : Help would be appreciated. Steve, Try this: Reboot from a system diskette, and do NOT load the doublespaced drivers. Once this is done, simply run McAfee's Scan c: /clean. It should successfully remove the virus. Reboot from the hard disk, and all should be well. kdl ------------------------------ Date: Wed, 07 Dec 94 23:54:20 -0500 From: fontenot@actlab.rtf.utexas.edu (Dwayne Jacques Fontenot) Subject: What is the NYB virus? (PC) Hello, I was using McAfee's SCAN 2.12E on a friend's computer and it claimed to find the NYB virus in the Master Boot Record of the hard drive. I told SCAN to clean the virus out, but it said "No remover exists for this virus". What is this virus? And how can I remove it? What are the symptoms? I have been unable to find information on this virus in any of the resources listed in the FAQ. Also, why have none of the virus lists at cert.org been updated since 1992??? Where can one get current information without having to buy commercial software? thank you for your time, Dwayne Fontenot ------------------------------ Date: Thu, 08 Dec 94 02:40:19 -0500 From: Zvi Netiv Subject: Re: InVircible (PC) From: Zeppelin@ix.netcom.com (Mr. G) Subject: Re: invb601a.zip - The InVircible Anti-Virus Expert System v6.01A (PC) > I have used TBAV for some time and have TBfile/TBcheck/TBmen active as > TSR's. I went to SimTel and got your IV 601a and loaded it onto my > system. Here is what happened. > Tbav loads all it's TSR's and then IV starts up. At once, TBAV check > stops the activity, and states that IV is trying to rename IV.EXE to > IV.*%$, exactly like that. Now I did a complete setup with TBAV as to > include the IV files. TBAV asks me if I want to stop the process. The > first time I said NO, and then proceded to have to go through with the > same process with EVERY file that IV wanted to look at. When I got all > done, and IV was finished, my system halted and I was informed that my > system could not find the Command.com ??? So I directed it to dos where > I keep a second copy, but it was gone also. I then booted from a clean > floopy and went into Norton Commander. Here is what I found. I am afraid you can't have it both ways. InVircible and TBAV represent totally opposed approaches to antivirus protection. You established yourself that TB's TSR are conflicting with IV, especially TBFILE and TBCHECK. IV didn't kill your command interpreter, it was your "wrong" selection from the options the TSR gave you. You repeatedly did the same mistake any time the TSR interfered with an ongoing process. This is a mild demonstration of how hazardous a program can be, when in the hands of an uninformed user. :-) > All .exe files had been renamed, and changed to a 6 byte file. Dos was > filled with these. These 6 byte files had Stoned like extensions, such > as #_^, and so on. I had to do a complete backup of ALL my .exe's and > do a SYS c: to get back online. What I have done since IS, run IV from > the begining of Autoexec.bat, then TBAV about 5 lines later. I refuse to > give up TBAV, but I like your sytem of file integrity. InVircible does not rename files. If there was a purpose in renaming EXE files, then why not COM files too? :-) I suppose the above are after effects of the mess caused by the TSR intervention and your systematic "wrong" selection from the options given by the TSR. Your solution of loading the TB TSR _after_ running IV does not make any sense for several reasons: First, once loaded, you cannot run any of the IV module without being intercepted by the TB TSR. For obvious reasons the TSR cannot be unloaded from memory either, to avoid their deactivation by viruses. Secondly, AV TSR are supposed to load _first,_ not last, as their job is to avoid the execution of potentially infected files. Since the TB TSR have no self-sanity check of their own before loading, it is then important that they are loaded first, as the environment may already be infected by then, and the TB programs may get infected in the process. You can prove my last statement to yourself with the antivirus practice lab (AVPL101.ZIP - freeware) by "infecting" the TB TSR, as well as the IV modules, and comparing the behavior of both programs when executed in an infected state. IV will alert the user and restore itself, the TB TSR will load as if nothing happened, after the "virus" announced its presence with a message and prompting for a key (indicating that it took control over the program!). The reason I mentioned the above is because what the TB TSR are intercepting about IV is the self-sanity check and the auto-restore function. The IV modules will sense and restore themselves even from stealthy viruses! As I said, you won't be able to use both programs at the same time, as the TB TSR are hostile to IV. As IV has no TSR at all, it won't interfere with _any_ application, and once it finished its fast checks, IV will return full control and all computer resources to the disposal of the user! Best regards, Zvi Netiv, InVircible ------------------------------ Date: Thu, 08 Dec 94 04:33:26 -0500 From: gmk@eva.system.sikkerhet.no (Geir M. Koeien) Subject: About memory scanning (PC) I can accept that the vir-signatures is loaded into memory by the AV product when scanning for viri in memory. I can also understand that the signatures, if left in memory, can cause the AV product to trigger. However, I refuse to accept that this problem should be an excuse for not doing memory scanning. It should be no problem at all for the AV product to zero-out the signatures before it exits. (no reason for Iolo to watch out yet) So, if you don't want to do memory scanning you'd better put up a better excuse that this one. - -- Geir M. Koien - --------------------------------------------------------------- Feature: A documented bug. Bug: A fault that has yet to be documented. ------------------------------ Date: Tue, 06 Dec 94 19:47:08 -0500 From: bondt@dutiws.TWI.TUDelft.NL (Piet de Bondt) Subject: Thunderbyte anti-virus v6.30 now available from SimTel (PC) I have uploaded to SimTel, the Coast to Coast Software Repository (tm), (available by anonymous ftp from the primary mirror site OAK.Oakland.Edu and its mirrors): SimTel/msdos/virus/ tbav630.zip Thunderbyte anti-virus pgm (complete) v6.30 tbavw630.zip TBAV anti-virus for Windows v6.30 tbavx630.zip TBAV anti-virus - processor optimized versions tbavn630.zip TBAV anti-virus for Networks v6.30 Replaces: SimTel/msdos/virus/ tbav626.zip and older tbavx626.zip and older tbavw626.zip and older The Thunderbyte Anti-Virus utilities are ShareWare. There are 4 security modules (TbScan, TbScanX, TbClean, TbMon) included. This modules are programmed in assembler and there for very fast! TbScan is a signature, heuristic and CRC scanner. It detects known, unknown and future viruses. TbScanX is the resident version of TbScan. TbClean is the first heuristic cleaner in the world. Even an infected file with an unknown virus can be cleaned. TbMon consists of 3 resident programs (TbMem, TbFile, TbDisk) which monitors your system against unknown viruses. From version 6.22 a complete Windows version is available. Note that for Windows you need both the Windows and the DOS files. NEW Release: TBAV for Networks. TBAV is uploaded by it's authors to anon-ftp site ftp.twi.tudelft.nl in dir /pub/msdos/virus/tbav) and from there distributed to SimTel, garbo.uwasa.fi, and ftp.sunet.se, and from there to their mirror-sites. Greetings, Piet de Bondt bondt@dutiws.twi.tudelft.nl ============================================================================== FTP-Admin for MSDOS Anti-virus software at anon-ftp-site: ftp.twi.tudelft.nl ------------------------------ End of VIRUS-L Digest [Volume 7 Issue 101] ******************************************