VIRUS-L Digest Monday, 6 Feb 1995 Volume 8 : Issue 6 Today's Topics: graphics files & viruses virus transfers via email Re: OS/2 Virus'? (OS/2) Need Virus Checker for Novell, DOS, MAC (Novell) Re: how do viruses do it?? (PC) Re: McAfee 2.1.4 Crashes - help (PC) Infection via a .WK4 file (PC) Anti-Virus Comparison (PC) Is it possible to bypass TSR anti-viruses? (PC) Re:just how safe is Vsafe? (pc) SOBOLANUL virus (PC) write-protection error (PC) Re: ThunderByte AV and my boot sector (PC) Re: ThunderByte CRC checking (PC) Jumper alias _2kb; Natas / Trident confusion by SCAN? (PC) Hardware Virus Protection (PC) What is this 'F' virus (PC) Where to get CPAV Updates (PC) McAfee Scan 2.1.213 false alarm with BEER.2794 virus ??? (PC) Problems removing PHNX2000 (PC) I think I have a virus PLEASE help!!!! (PC) Press statement re Gatekeeper (PC) Natas Virus (PC) Re: Entire files in my DOS dir turning to NULLs!!! (PC) Re: Stealth C virus (PC) False alarm with McAfee 2.1.3 ??? (PC) Virus called ALIENINI 64 ???? (PC) SCAN; NATAS (PC) Urgent: NewBug (Genb) virus in RAM. Help needed (PC) Is this a Virus ??? (PC) Re: junk-virus on my PC- Help me!!! !!! (PC) Re: What are the effects of FDISK/MBR (PC) ASeXual Virus... (PC) Heard of the SPRAYER virus? Help me!!!! (PC) Info on 69 virus ?? (PC) Virus testing of CPAV 2.0 (PC) ANSI bombs - MORE vs. TYPE (PC) re:Infection via a .WK4 file? (PC) VET queries (PC) NATAS virus (PC) Best AV software for LAN? (PC) Monkey virus on Staccked Hard Drive (PC) Wanted: info on Sobolanul virus (PC) '69' Virus & McAfee 2.1.3 (PC) InVircible review in Virus Bulletin - part 1 of 2 (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CORSA.UCR.EDU (IP number 138.23.166.133) or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CORSA.UCR.EDU. Administrative mail (e.g., comments, suggestions, beer recipes) should be sent to me at: krvw@ASSIST.MIL. All submissions should be sent to: VIRUS-L@Lehigh.edu. Ken van Wyk ---------------------------------------------------------------------- Date: Mon, 09 Jan 95 18:20:28 -0500 From: Subject: graphics files & viruses Well, there's never a question so silly as the one that isn't asked....and I couldn't find it in the Viruses FAQ's or in the Graphics FAQ's. (Ergo: silly question!) The question: Is it possible to get a virus from a graphic file? I understand that this should not normally happen but....? (Need an answer fairly soon, so responses, flames, etc, can be directed to me, as well as here. THX mspear@griffin.multimedia.edu ------------------------------ Date: Mon, 09 Jan 95 19:25:25 -0500 From: pweinman@dorsai.dorsai.org Subject: virus transfers via email It is safe to say that no virii will be transferred via email.. or is it? (twilight zone music goes here) ------------------------------ Date: Sun, 08 Jan 95 13:30:23 -0500 From: iandoug@cybernet.za (Ian Douglas) Subject: Re: OS/2 Virus'? (OS/2) Cyber City (cyber1@io.org) wrote: > David M. Chess wrote: > >There are at least two known viruses that run under OS/2 itself, but > >both are only "laboratory viruses" at the moment; meaning that someo= ne > >with nothing better to do (hard to imagine, eh?) wrote them up and > >distributed them around various K00L HACKERZ boards and such. =C4=C4=C4=C4=C4=C4=C4=C4=C4=C4=C4=C4=C4=C4=C4=C4 VIRUS_INFO =C4 Msg : 123 of 137 - 122 + 137 = From : John Buchanan 1:271/160 13 Jan 94 = To : T. Curtis = Subj : The virus threat.. = =C4=C4=C4=C4=C4=C4=C4=C4=C4=C4=C4=C4=C4=C4=C4=C4=C4=C4=C4=C4=C4=C4=C4=C4= TC> Largely virus proof? Hmmmm... The first published native os/2 TC> virus has already been done.. I can't see why any virus couldn't be I believe you are mistaken, Ian! The first two OS/2 viruses were named = SATYR and EROS. They were given to me about 8 months ago with source. I can't tel= l you much more about them simply because I don't fully understand the "ring"= system structure of the coding. I do know that they work. Surprisingly howeve= r, EROS is quite large - some 4823 bytes large. It more or less works like a di= rect action file infector. SATYR is totally beyond me! Anyhow, I just wanted= to clear things up a bit. Author Ellis did *not* write the first OS/2 specific = virus. ------------------------------ Date: Sun, 08 Jan 95 14:16:10 -0500 From: jsevcik@nyx.cs.du.edu (joan sevcik) Subject: Need Virus Checker for Novell, DOS, MAC (Novell) I need a virus checking program for a NOVELL 3.11 network with a DOS server, 15 DOS work stations, and 3 Macintosh work stations. The DOS computers use windows, and doublespace. Is there any way to do this with an automatic scan that works? Automatic diskette checking is needed. Cleaned the Antiexe virus with F-Prot 2.15 (shareware) from this network. It worked great for boot sector and diskettee. Did not reach the network drive or check for Macintosh viruses. Please reply by mail. (jsevcik@nyx.cs.du.edu) Thank you Joan Sevcik - -- Joan Sevcik jsevcik@nyx.cs.du.edu ------------------------------ Date: Sat, 07 Jan 95 20:59:29 -0500 From: jmward@cs.UCR.EDU (Jonathan Ward) Subject: Re: how do viruses do it?? (PC) Brian Peterson wrote: >if a virus is going to wipe your disk, would it use a dos command >to do it?? like FORMAT.COM or DELTREE.EXE or FDISK.EXE?? because if >it does, cant you just rename those utilities so the virus cant use >them?? sorry if this sounds stupid, i'm not that familiar with how >viruses work. any advise/comments/help/etc are welcome! Gosh, I'm too nice. You should read the FAQ. Anyway, I'll just say: No. I've never heard of a virus doing that. It's possible, yes, but I've NEVER seen a virus do that. There are a lot more effiecient ways to demolish a hard drive. Most use either int 13 or int 21 with the appropriate function numbers to do their dirty work. Int 26(absolute disk write) will also work. -Jonathan Ward - -- Who is General Failure, and why is he trying to read from my disk?? Email to: | http://neuromancer/~drdrums jmward@cs.ucr.edu | University of California, Riverside drdrums@dostoevsky.ucr.edu | Dept. of Computer Science ------------------------------ Date: Sun, 08 Jan 95 05:04:24 -0500 From: mcafee@netcom.com (McAfee Associates) Subject: Re: McAfee 2.1.4 Crashes - help (PC) Sounds like a bug that showed up in the VirusScan 2.1.4 BETA TEST "A" release. We fixed it in the 2.1.4 BETA TEST "B" release. Aryeh Goretsky Technical Support nisk115%albnyvms.BITNET@uacsc2.albany.edu (DAN GINSBURG) writes: > I just download McAfee v2.1.4 (scnb214a.zip, which I got from >Software Creations BBS). When I scan my HD, everything is fine until it hits >C:\TELEMATE. It kept locking up at a program called convert.exe in the >directory. It was a program I didn't need, so I deleted and re-scanned. It >again crashed at another EXE in that directory. So, I clean booted and this >time it crashed, but it gave me this error message: > >C:\TELEMATE\GIFLINK.EXE >Error Report: > Error Code 1 > Please record the following information and contact your McAfee >representative. > Source: ph_ui.c Location:679 Status -20480, Information $ Revision:1.15$ > Error Code 1 > Please record the following information and contact your McAfee >representative. > Source: ph_ui.c Location: 679 Status 4096, Information $Revision:1.15$ > > It then crashed at the next EXE in that directory. Unfortunately, >McAfee is closed for the holiday, so I was wondering if anyone has any idea >what this means? Do I most likely have a virus or is this a bug in SCAN? >Also, why would only files in C:\TELEMATE be infected when I have hundreds of >others on my HD? Thanks... - -- - - - - - - - Please send your reply, if any, to Aryeh@McAfee.COM - - - - - - McAfee Associates, Inc. | Voice (408) 988-3832 | INTERNET: support@mcafee.com 2710 Walsh Ave, Suite 200| FAX (408) 970-9727 | or ftp.mcafee.com Santa Clara, California | FaxBck(408) tba | or www.mcafee.com 95051-0963 | BBS (408) 988-4004 | CompuServe ID: 76702,1714 USA | USR HST Courier DS | or GO MCAFEE Support for McAfee anti-virus, network management and help desk software. ------------------------------ Date: Sun, 08 Jan 95 05:49:31 -0500 From: floyd.patterson@ssbbs.org (Floyd Patterson) Subject: Infection via a .WK4 file (PC) KF>From: Kenneth Fribush KF>We recently had a problem with the Form virus on a laptop where the KF>only files transferred to it were Lotus 123R4 spreadsheets. Is it KF>possible for a virus to infect a PC via a spreadsheet file? I was KF>under the impression that the carrier had to be an executable file (.EXE, KF>BAT, .OVL, etc.). KF>Any info would be appreciated. Not exactly. Very Broadly speaking there are two type of viruses. The first I call com/exe viruses which is what you are referring to above. The second are memory resident viruses. These are spread via infected floppys. The virus is resident in the boot sector of the disk. Simply acessing the disk will spread the virus to the other computer. The form virus is a memory resident and was apparently present on the disk you used to transfer the files to your lap top. Now...there is good news and bad news <>. The good news is that the Form virus is very common and is little more then a pest. It will not generally destroy data. The bad news is that many/all of your disks and computers may well be infected. In order to make certain the virus is gone, you will need to scan/clean each computer and every floppy. If there is one infected floppy in your office you run the risk of reinfecting the office. floyd.patterson@ssbbs.org * SLMR 2.1a * Open mouth, insert foot, echo internationally. - --- * Synchronet * System Support BBS (303) 469-9359/9389 Barry Young - ---- +----------------------------------------------------------------------+ | System Support BBS 303-469-9359 Zoom 24v.fc 303-469-9389 Zoom 28v.fc | | Denver, Colorado__MetroLink Hub and InterNet/UseNet Node | +----------------------------------------------------------------------+ ------------------------------ Date: Sun, 08 Jan 95 10:21:22 -0500 From: alans12345@aol.com (Alans12345) Subject: Anti-Virus Comparison (PC) Does anyone know of a document comparing the test results of various anti-virus software? I'm trying to convince someone that F-Protect is indeed one of the best ones but some test results would certainly help. Alans12345@aol.com 71730.141@compuserve.com ------------------------------ Date: Sun, 08 Jan 95 14:18:02 -0500 From: caveman@crl.com (Travis Berthelot) Subject: Is it possible to bypass TSR anti-viruses? (PC) Is it possible for a virus to bypass tsr virus scanners like VSAFE.com that comes with msdos 6.0. By some how geting the original value of the vector table entry for interrupt 21h, 13h rom disk services etc. Then each time before the virus begins to infect a new host it replaces the vector table with the orginal vector entries and continues the infection and then after wards set them back to what they were. Im sure its possible but the virus would have to be in the MBR or have a sys file infected so that it could get the orginal values before the driver is loaded into memory. Or is it possible to get the orignal entries even after the tsr is loaded. I need to know. So if u are educated in this area plez respond ;) The man... Trav ------------------------------ Date: Sun, 08 Jan 95 16:04:12 -0500 From: ruben@ralp.satlink.net (Ruben Arias) Subject: Re:just how safe is Vsafe? (pc) jfredian@pepperdine.edu (The Mermaid) Re: Just how safe is VSAFE? (PC) 5 Jan 1995 14:47:59 Wrote: >Well, I don't know about how well it keeps viruses off the computers, but >I work in a computer lab at a university, and we're cleaning all our computers >out (it's winter break), and we cleaned all the viruses off the PCs, and >one of the files that was attacked by a virus (Kela, I believe) was >VSAFE.... Yes, but You have better ones Anti Virus packages that will give an accurate detection and removal of Viruses. Statistic reveals that Vsafe/Msav of DOS is not complete "Secure/Accurate", this no means that You could not use it. I Strongly recommend this products: * F-prot (ver 2.15) [This product could use Scanning an heuristic technics] * Integrity Master (ver 3.15) [This product use Integrity Checking and Scanning technics] * TBAV (ver 6.25) [This product use Scanning/Heuristic/I. checking technics] Warm Regards Ruben Arias RALP Computer Security - ----------------------------------------------------------------------------- Ruben Mario Arias |> /| | |> |\ | | |_ | E-mal: ruben@ralp.satlink.net RALP - Computer Security - Virus Buenos Aires, ARGENTINA. - ----------------------------------------------------------------------------- ------------------------------ Date: Sun, 08 Jan 95 18:33:52 -0500 From: S1094896@cedarville.edu (Derek Shaw ) Subject: SOBOLANUL virus (PC) Does anyone have any information about a virus called SOBOLANUL? I'm a tech who went to clean TEQUILA off a computer, but SCAN and F-PROT could not find it. SCAN finds traces of TEQUILA in memory but not in any files. When I looked at an infected file, the string "'SOBOLANUL' virus present" was there. I wrote a small scan and clean for it, but I would like more information. Derek G. Shaw s1094896@cedarville.edu derek@cactus.cedarville.edu ------------------------------ Date: Sun, 08 Jan 95 22:01:56 -0500 From: af930002@v9001.ntu.ac.sg Subject: write-protection error (PC) Hello, I am not sure if my PC was infected by virus. I got the problem I couldn't solve. The hard disk can root, read and run, but cannot write. The error messages are "write protection", or "drive failure", or "possible virus". I don't know what's wrong. I can copy files from hard disk to diskette, but cannot copy files from diskette to hard disk, cannot format the hard disk even low-level format. In a word, cannot write ANYTHING to hard disk. Can anyone help? Thanks a lot. Qian ------------------------------ Date: Mon, 09 Jan 95 01:26:05 -0500 From: "Frans Veldman" Subject: Re: ThunderByte AV and my boot sector (PC) xiphoid@netcom.com (Pet Shop Boy) writes: > Recently I was infected with Junkie virus, and in my frenzy I obtained a copy > of TBAV. Without reading the manuals, I executed TBUTIL of which one of ^^^^^^^^^^^^^^^^^^^^^^^^^^^ > its features is to create a "virus-resistant" boot sector. Trouble now > is that nowadays once in a while a new program to be installed will stop > because it needs to write to the boot sector but CAN'T. I check the manual > afterwards (yeah, stupid me) and figured out that it seems there's no way > to put back a boot sector without some stupid prompt popping up on my > screen saying "Boot Sector Possible Virus. Overwrite?" I've fdisked my > hard drive with and without the /mbr switch, low-level formatted, all > while crossing my fingers, because I knew that seriously speaking none of > these procedures would delete the "hidden" sector or whatever on my hard > drive that's preventing boot sectore writes without prompts. So I'm asking > for help... is there any way to remove that TBAV prompt and/or write a boot > sectore on my hard drive without the prompt? I mean, hell, does this mean > I finally get the chance to degauss my hard drive or something? It means you just have to read the manual carefully. Even if you didn't, TbUtil explained on the screen what it was about to do, how to remove it afterwards, etc. If you are one of these people keeping you finger on the 'Y'-prompt without reading *anything*, well... Anyway, boot from a write protected bootable diskette, run 'TbUtil restore' (you have made a backup of the original MBR and put it on a diskette, didn't you?) or, use FDISK/MBR to create a new MBR. - -- Thunderbye, Frans Veldman <*** PGP public key available on request ***> Frans Veldman Phone (ESaSS) + 31 - 80 787 881 veldman@esass.iaf.nl Fax (ESaSS) + 31 - 80 789 186 2:280/200.0@fidonet Fax (VirLab) + 31 - 59 182 714 ------------------------------ Date: Mon, 09 Jan 95 01:26:08 -0500 From: "Frans Veldman" Subject: Re: ThunderByte CRC checking (PC) blendrhd@netcom.com (Blenderhead) writes: > Subject: ThunderByte CRC checking (PC) > > I am using version 6.26 of ThunderByte and have noticed something that I > find to be a little disturbing. When Thunderbyte checks the CRC values > in the anti_vir.dat file, it fails to detect altered programs. > > This is what I did. I used TBSETUP to create the anti_vir.dat file. Then > I went in with diskedit and changed a bunch of bytes and saved it back. > Then I ran TBSCAN and it said "CRC verified". However TBSETUP when run a > second time, reported that one program had changed CRC. > > This seems to be a bug. Has it been fixed? It is worthless to have > TBSETUP detect it because all it does is update the signature file. If I > changed the file entirely, then TBSCAN would notice, but not if I changed > bytes within it. Some quotes of the manual: TbScan performs an integrity check automatically, and it does not have the false alarm rate other integrity checkers have. The goal is to detect viruses and not to detect configuration changes! Note that TbScan only reports file changes that could indicate a virus. Internal configuration areas of program files may also change, but TbScan does normally not report this. However, if a file gets infected with any virus -known or unknown - the vital information will change and TbScan will indeed report it to you! So, TbScan distinguishes between changes that are the result of a virus infection, and changes which are not the result of a virus infection, like internal configuration changes, etc. > Now a CRC is a CRC and it should not matter that TBSCAN only checks the > begining and end of the program when looking for infections. Does this > sound reasonable? No, because that is not what TbScan is doing. It is far more complex. TbScan follows the execution flow within the program, and only checks those instructions which are executed when the program starts up. If you alter a byte somewhere in a text string in the program, TbScan won't bother you with a virus message, since a change in a text string only does not indicate that the program is infected. The purpose of TbScan is to detect viruses, not changes in programs. If you want to detect changes to program files you should use another product. Be prepared to receive many 'Program changed' reports which do not indicate a virus at all. But that is what you obviously want. If you want to 'test' an anti-virus product, you should rather use REAL viruses to perform the test, instead of assuming what the product is doing and trying to get it triggered. Actually, any test on anti-virus products without real viruses can be used as false alarm test. In your case, with random changes in a program, if TbScan would have reported this as a possible virus then it would have been a false alarm! The better the anti-virus product, the more difficult it is to fool it with non-viruses. - -- Thunderbye, Frans Veldman <*** PGP public key available on request ***> Frans Veldman Phone (ESaSS) + 31 - 80 787 881 veldman@esass.iaf.nl Fax (ESaSS) + 31 - 80 789 186 2:280/200.0@fidonet Fax (VirLab) + 31 - 59 182 714 ------------------------------ Date: Mon, 09 Jan 95 06:55:50 -0500 From: "A.Appleyard" Subject: Jumper alias _2kb; Natas / Trident confusion by SCAN? (PC) This morning SCAN (the sort that comes with a separate CLEAN) said that one of my department's PC's had _2kb in its C: boot sector. Can _2kb infect multiply? Also, SCAN v2.13 said that several of its .COM files had NATAS virus, but the abovementioned older SCAN said instead that they had TridenT virus. Why the name difference? (CLEAN removed some of the TridenT's but not all, and I had to restore the affected files from other PC's or from our server.) ------------------------------ Date: Mon, 09 Jan 95 07:10:21 -0500 From: sayhow@technet.sg (Foo Say How) Subject: Hardware Virus Protection (PC) Ok guys/gals, I need some help. The PC I have installed in Batam (an Island south of Singapore, belong to Indonesia) is constantly hit by Virus. Look like education does not work, and software protection did not really help much if the users insist of doing things their way. So I may have to resort to hardware locks which are available in Singapore, or if necessary from Overseas. Any suggestion or experience is welcome. Why type of planning do you have to prevent virus from affection your systems. - -- FOO SAY HOW .... foo say what .. foo say who ... foo say when .. foo say why - ------------------------------------------------------------------------------ Please note E-Mail address changed due host configuration changes NEW E-MAIL ADDRESS : sayhow@technet.sg Company: Systran (S) Pte Ltd ADDRESS: 133 New Bridge Road #21-01, Chinatown Point, Singapore 0105 TEL: 65-7327007, 65-5388449 FAX: 65-5388515 ------------------------------ Date: Mon, 09 Jan 95 09:37:16 -0500 From: F.Kooger@vanveen.nl (Frank Kooger) Subject: What is this 'F' virus (PC) Since this weekend (after a lot of searching and downloading from the NET) I have a virus in my PC which now and than places an 'F' as a prefix in the line 'MS-DOS wordt gestart', which is the Dutch equivalent for 'MS-DOS loading' or something like that. It than looks: 'FMS-DOS wordt gestart', and the PC hangs. For the time being I can repair that by booting and 'sys'ing from a floppy. Does anyone knows this virus and what to do against it? thanks, Frank Kooger, Holland ------------------------------ Date: Mon, 09 Jan 95 10:17:57 -0500 From: Kevin.Melcher@LeRC.NASA.GOV (Kevin J. Melcher) Subject: Where to get CPAV Updates (PC) Anyone know if CPAV updates are available from anywhere besides the Central Points bulliten board? I can easily obtain stuff via FTP via the internet but I have no reliable modem. Also, I've seen some posts about F-PROT. do you know how it compares to CPAV? Where might one obtain a copy? Thanks :: Kevin J. Melcher :: ORG: 2560/System Dynamics Branch :: NASA Lewis Research Center :: EMAIL: kmelcher@lerc.nasa.gov :: 21000 Brookpark Road, MS 77-1 :: PHONE: 216-433-3743 :: Cleveland, Ohio 44135-3127 :: FAX: 216-433-8643 :: :: Opinions are mine & do NOT represent any official position by my employer. ------------------------------ Date: Mon, 09 Jan 95 12:16:13 -0500 From: vonburg@ifr.mavt.ethz.ch (vonburg) Subject: McAfee Scan 2.1.213 false alarm with BEER.2794 virus ??? (PC) I checked my disk and floppies with McAfee 2.1.3 and it's virus list V2.1.213 and received an alarm for one single file SR340.SYS (Tiga driver) with a possible infection by BEER.2794. This file is about 3 year's old and is called at boot every day. Although with the former list's V2.1.212 and 2.1.211 check for this virus I didn't get an alarm. False alarm ??? Can anybody confirm ??? Witch other scanner is able to crosscheck ??? Thanks for any help Peter *************************************************************** * Peter von Burg, Institut fuer Robotik, ETH Zuerich * * * * Mail: ETH-Zentrum, CH-8092 Zuerich, Switzerland * * Phone: ++41 1 632 27 80 * * Fax: ++41 1 632 11 95 * * e-Mail: vonburg@ifr.mavt.ethz.ch * * * *************************************************************** ------------------------------ Date: Mon, 09 Jan 95 13:52:07 -0500 From: "Fred E. Rosenblatt" Subject: Problems removing PHNX2000 (PC) I am having problems removing a PHNX2000 virus that McAfee scan2.1.3 has reported. When I boot from a clean write protected floppy disk, I get: === Scan V.2.1.3 Copyright (c) McAfee, Inc. 1994. All rights reserved. Virus data file V2.1.213 created 11/15/94 7:01:01 01/06/95 10:44:27 Options: /REPORT c:\user\report.vir Traces of PHNX2000 virus found in memory! This may be an active virus, or an image left by a previous operation === When I select the /NOMEM option no virus is found. McAfee scan117 does not find any virus in memory and locks up when "Scanning for known viruses". The PC is a Tandy 1110 HD Notebook and the main processor is a NEC V20, 16MHz. Fred Rosenblatt rosenbla@lafayette.edu Computer Programmer rosenbla@lafayett.bitnet Lafayette College (610) 250-5501 Easton, PA 18042 ------------------------------ Date: Mon, 09 Jan 95 17:08:11 -0500 From: ad809@freenet.toronto.on.ca (Ali Emami) Subject: I think I have a virus PLEASE help!!!! (PC) Hi I was just wondering what should I do if I have a virus that can't be detected? I already have Norton Anti-Virus and MacAfee Scan 117 but both of them can't detect anything. Ok here is why I think I have a virus. When I turn on my computer I go to play a game or something, after about one hour my computer reboots by itself. After that it becomes a random thing. Every few minutes my computer reboots by itself. I think this type of virus is called a Boot Sector Virus or something. If anyone could PLEASE tell me where to find a anti-virus that can detect and kill this type of virus I would really be greatful. This is a very anoying problem. And I would really appreciate it if anyone could help. Oh and by the way if you decide to help do not post your answer because I hardley ever read any newsgroups. But instead could you please E-mail me at: ad809@freenet.toronto.on.ca with the FTP site or whatever of where I could find an ant-virus that kills the type of virus I explained. Thanks a lot Ali Emami Jan.9 1994 ------------------------------ Date: Mon, 09 Jan 95 17:29:47 -0500 From: cshema@laventeli.cs.uta.fi (Helenius Marko Tapio) Subject: Press statement re Gatekeeper (PC) I am including here our statement of a press release Data Fellows published recently. There was a need for the statement, because the press release was misleading and gave a strongly wrong impression of our work. I personally disaprove the way our test reports were quoted and I hope there will not be a need to respond on quotations in the future. Best Regards, Marko Helenius - ------------------------------------------------------------------------------ VIRUS RESEARCH UNIT'S STATEMENT OF THE QUOTATION DATA FELLOWS MADE IN THEIR PRESS RELEASE CONCERNING GATEKEEPER'S BETA VERSION Data Fellows has made in December 1994 a press release where they are advertising Gatekeeper. In the press release they stated their arguments for Gatekeeper's performance against polymorphic viruses on research papers published by the Virus Research Unit. However the quotation was unfortunate. The original test reports did not include a test of Gatekeeper's beta version and the quotation is only a selective part of the test reports. Therefore Virus Research Unit cannot take any responsibility on the results in the press release concerning Gatekeeper or its beta version. Those who want to compare the original test reports with the results in the press release may download the original test reports via anonymous ftp as ftp.informatik.uni-hamburg.de: /pub/virus/texts/tests/vtu/wildtest.zip _____________________________________________________________________________ Virus Research Unit, University of Tampere, Department of Computer Science, P.O.BOX 607, 33101 TAMPERE, FINLAND, E-mail: cshema@uta.fi - -- ____________________________________________________________________________ Marko Helenius, University of Tampere, Virus Research Unit, Department of Computer Science, P.O.BOX 607, 33101 TAMPERE, FINLAND, Tel: +358 31 215 7139, Fax: +358 31 215 6070 ------------------------------ Date: Mon, 09 Jan 95 18:47:56 -0500 From: umfauche@cc.UManitoba.CA (Ryan Ulric Faucher) Subject: Natas Virus (PC) Any information that any one currently has on where I can obtain information on viruses(databases or otherwise) would be greatly appreciated. I am currently working on a research paper which due to current incidents I have decided to complete on viruses. Of particular interest to me is the Natas virus. If you have any knowledge of this virus or where I may find some please email the location of this information to me at: umfauche@cc.umanitoba.ca Thank-you, Ryan Faucher. ------------------------------ Date: Mon, 09 Jan 95 19:12:40 -0500 From: ftijdens@pielab.knoware.nl (Folkert Tijdens) Subject: Re: Entire files in my DOS dir turning to NULLs!!! (PC) myroon@ee.ualberta.ca says... > >Hi all... I seem to be having some sort of problem that looks like a >virus. In my DOS dir (and only there from what I've seen so far), >entire files are turning to nothing but NULL characters. That is to >say it you look at them in hex mode, they are nothing but 00 00 00 00 >00 00 00 etc... The file sizes remain the same and the dates do not >change! I've tried the latest versions of McAfee's Scan and F-Prot >2.15. Neither tell me of any virus. > >If anyone has any info.. thanks! I had exactly the same experience a few month ago. I also could not find a virus. I have no idea when it happened or what caused it. It took some time before I even discovered it, and most of my backups were wrong by that time too. ------------------------------ Date: Mon, 09 Jan 95 21:35:23 -0500 From: steveschmitz@ins.infonet.net Subject: Re: Stealth C virus (PC) jfredian@pepperdine.edu (The Mermaid) writes: >I saw this virus about a week ago, and I think the McAffee scanner said >it was a strain of the Genb virus. The virus was in the boot sector of >the disk, and the only thing we knew to do was to reformat the disk. If >anyone else knows any other ways of ridding floppies of this virus, please >post. Thanx. > We've had about 3 or 4 pc's struck by the Stealth_C virus. It is infecting the master boot record of the disk. Besides infecting the disk, what will this virus do? The only indication we had of it's presence was that windows would not load if emm386 was supplying upper memory blocks and we booted off the infected disk. ------------------------------ Date: Tue, 10 Jan 95 03:34:12 -0500 From: vonburg@ifr.mavt.ethz.ch (Peter von Burg) Subject: False alarm with McAfee 2.1.3 ??? (PC) I receive a virus alarm with McAfee 2.1.3 and it's Viruslist 2.1.213. The file SR340.SYS (Tiga driver) is supposed to be infected by BEER.2794. With previous viruslist's I don't get an alarm althougth the virus is listed. The file is running on my system since a few years and as no other file is reported as corrupt I suspect false alarm. any confirmation ??? any doublecheck possibility ??? Thanks for your help Peter *************************************************************** * Peter von Burg, Institut fuer Robotik, ETH Zuerich * * * * Mail: ETH-Zentrum, CH-8092 Zuerich, Switzerland * * Phone: ++41 1 632 27 80 * * Fax: ++41 1 632 11 95 * * e-Mail: vonburg@ifr.mavt.ethz.ch * * * *************************************************************** ------------------------------ Date: Tue, 10 Jan 95 04:19:13 -0500 From: moeza@ifi.uio.no (Moez Ben Lamine Abidi) Subject: Virus called ALIENINI 64 ???? (PC) Hallo Does any one know any thing about this virus.? Which anti-virus program can be used to take it away??? Thank you Moez e-mail:moeza@ifi.uio.no Norway ------------------------------ Date: Tue, 10 Jan 95 06:26:32 -0500 From: "A.Appleyard" Subject: SCAN; NATAS (PC) Today I had NATAS on another of my PC's. SCAN v2.13 in /CLEAN mode successfully removed it from .EXE and .OVL files but not from .COM files. It also had NATAS.MBR in its boot sector. (1) What is the latest version of SCAN? Where to get it? (2) When will SCAN be able to remove NATAS from ? (3) What is the latest version of VET? Can it remove NATAS? (4) What does NATAS do, except spread? Please also reply to me personally, so I get the replies quicker. ------------------------------ Date: Tue, 10 Jan 95 07:56:11 -0500 From: merrill@fub46.zedat.fu-berlin.de (Stefan Simon) Subject: Urgent: NewBug (Genb) virus in RAM. Help needed (PC) A few days ago a friend of mine detected a NewBug (Genb) virus in the RAM of his PC. My questions to all of you who read this are: 1) Where does this virus come from ? 2) What effect does he have ? 3) How to get rid of it ? You would do me a great favour, if you sent all information you have (and of which you think it could help my friend) to my e-mail adress: merrill@fub46.zedat.fu-berlin.de Thanx in advance, Stefan Simon. ------------------------------ Date: Tue, 10 Jan 95 12:14:27 -0500 From: Michael Hemy Subject: Is this a Virus ??? (PC) I have come accross a very strange behavior which suggests a presence of a virus. I wonder if any of you, have seen a similar manifestation. A friend of mine purchased a new laptop and proceeded moving some of her SW from her old machine to the new one (using diskettes). [ By the way the problem (soon to be described) never manifested itself on the old machine ]. At some point the machine would not boot: it would hang. Further examination showed that it was getting stuck while running power.exe. Removing power.exe from config.sys moved the problem further: it would stop, while trying to load high a routine, with the message: EMM386 - Unrecoverable priviledged operation error #00. Press enter to reboot. Looking further I found that EMM386.exe was causing a problem somehow which was manifesting itself when trying to load high any program. (power.exe tries to load itself high automatically if it can). Also, If I had not loaded anything high, when starting windows I got a message saying that something was present that prevents accessing the disk in the standard way, and suggesting a third party cache SW or a VIRUS !!! msav did not find anything, and after talking to the mfr of the laptop they suggested that some memory may be bad. They suggested replacing the laptop, and so did my friend do. When the new laptop arrived, everything was fine. When she proceeded installing her SW, the problem resurfaced. Since this was a completely new machine I assumed it must have been a virus. I reformatted the HD and reinstalled DOS and WINDOWS. The problem disappeared. Of course she will not try to install her disks now... So, is this a VIRUS, a coincidence or an incompatability ? Thanks, - -- Michael ------------------------------ Date: Tue, 10 Jan 95 14:27:35 -0500 From: Richard van Eckendonk Subject: Re: junk-virus on my PC- Help me!!! !!! (PC) > ct9308@mimas.hts.hsa.nl (J.P. Brouwer) > 22 Dec 1994 10:58:24 Wrote: > > >Hi netters, > > > >Two days ago evil struck me: my new PC (not even a week old) > >has been infected with the JUNK-virus. Every single .com-file has been > >damaged. > >First I tried to use the latest version of MCAFEE, but this anti-virus- > >program was not able to remove the virus from my system. > >Since there was not much on my harddisk at that time, I formatted my hd, > >trying to get rid of this torture. > >But again, Murphy's law proved to be right. > > Well, if You want get rid of it You must: > > 1) Turn off Your computer and boot from a "CLEAN" diskette containig at > least DOS version 6.0 or 6.2. > (Include Fdisk in this diskette) > > 2) Perform a FDISK /MBR > > 3) Format Your Hd if You want. But this is NOT necessary. > Only Delete Your files or install them again. It is not necessary to format your Harddisk or delete ALL the files. The Junkie virus is a multi partite virus which infects files, bootsector and master boot sector. Step 1 and 2 are correct (from above) Step 3 should be: Replace the system files on your harddisk by SYS C: Step 4: Scan your system with a virusscanner and clean the infected files (not all files will be infected!) When it's impossible to clean-up these infected files you have to delete them. Remember: Most important thing for scanning viruses is: Boot your PC from a clean bootable diskette before scanning your computer. Some viruses are invissible for the scanner while active in memory Regards, Richard van Eckendonk McAfee Nederland ------------------------------ Date: Tue, 10 Jan 95 14:32:39 -0500 From: Richard van Eckendonk Subject: Re: What are the effects of FDISK/MBR (PC) > Could someone tell me the effects of FDISK / MBR for cleaning a virus??? > Will it affect the disk partitioning??? FDISK /MBR will overwrite your Master Boot Record. This is the first thing your computer starts while booting the PC. The code in the MBR will read the information from the Partition Table and searches for the bootsector on the active partition (read from the partition table). Than the bootsector code will be started. This code will finaly execute your operating system. So when the MBR is overwritten, no data is lost (the partition table is not altered!) Richard van Eckendonk. McAfee Holland ------------------------------ Date: Tue, 10 Jan 95 18:11:53 -0500 From: trjordan@new-orleans.NeoSoft.com (Todd Jordan) Subject: ASeXual Virus... (PC) I had this show up on my computer on midnight between 1 and 2 January. Locked up the machine and printed a one line message similiar to the following. ASeXual Virus: Your computer has been personally phucked! Bummer was...I had no way of knowing what had caused it. I had just scanned with McAffee and MSAV and Norton's and no luck stopping it. As it was I had a clean protected boot disk and was able to reinstall dos again and slowly root out the problem. It appeared to create com files named for my exe files and corrupted some com files. It failed to get all exes and all com files but who knows why. It also created these com files as hidden and write protected. Ended up I replaced all executables and was not too much of a burden. Has anyone got anything they can share about this with me? THanks. - -- Todd Jordan, Sysop of Assassin's Lair BBS (504) 362-1636 trjordan@neosoft.com Todd.Jordan@f80.n396.z1.fidonet.org ------------------------------ Date: Tue, 10 Jan 95 20:40:14 -0500 From: travis.cook@m.cc.utah.edu (Travis Cook) Subject: Heard of the SPRAYER virus? Help me!!!! (PC) My computer is sorely affected with the SPRAYER virus. It attacks the boot sector and is a TSR. I cannot boot my computer from my HD, and therefore cannot do a lot of things that I need to. McAffee (the lasted version on Simtel) found Sprayer, but was unable to remove it. Clean.exe didn't recognize it. The newest sig file from CPAV (Jan 6, 1995) did not have SPRAYER in its list!! How can I get this thing off my Boot sector without reformatting. This is the second time this has happend and the first time I did re-format (not knowing what was causing it.) Please help if you can... ------------------------------ Date: Tue, 10 Jan 95 22:11:16 -0500 From: cei@technet.sg (Sylvie Ong) Subject: Info on 69 virus ?? (PC) Hi, I seem to be having trouble with the 69 virus in my system. Scan 117 doesn't seem to detect it but scan 2.1.3 can detect it. Scan 2.1.3 cannot clean this virus so can anyone please advise on this situation? Also, I can sometimes detect NYB virus on my system but when I try to clean it, it cannot be found? Appreciate if anyone can reply as soon as possible as I have some code on my system that I need to distribute. Thanks in advance. Kenneth Lee ------------------------------ Date: Tue, 10 Jan 95 22:18:32 -0500 From: robb@accessone.com (Rob B.) Subject: Virus testing of CPAV 2.0 (PC) There seems to be a lack of information on Central point Anti-virus 2.0. The recent FAQ on virus scanning software, only covered CPAV 1.0 and 1.4. I assume that 2.0 is an overhaul of the system, since they have now acquired Symantic (Norton) and PC Tools shows the effect. Has anybody run tests? Are tests on CPAV 2.0 planned? Do I need to do them? ------------------------------ Date: Wed, 11 Jan 95 04:09:35 -0500 From: David Hanson Subject: ANSI bombs - MORE vs. TYPE (PC) I know that an ANSI bomb can remap your keyboard if you have ANSI.SYS loaded and you TYPE a file. Can an ANSI bomb remap your keyboard if you use MORE instead of TYPE? ie.,: C:\>MORE Subject: re:Infection via a .WK4 file? (PC) >From: Kenneth Fribush >Date: Thu, 29 Dec 94 14:42:26 -0500 >We recently had a problem with the Form virus on a laptop where the >only files transferred to it were Lotus 123R4 spreadsheets. Is it >possible for a virus to infect a PC via a spreadsheet file? I was >under the impression that the carrier had to be an executable file (.EXE, >BAT, .OVL, etc.). FORM is normally transmitted via the boot sector. So it wasn't in any of the files, but it probably was (is?) on the boot sector of the diskette used to transfer the files. BTW the diskette does -not- have to be bootable to be infected and infectious. When faced with a FORM infection, the most effective strategy is to isolate and disinfect any infected hard disks, then aggressively seek out and scan/disinfect all diskettes which -may- have come in contact with an infected system. Recurring infections are common, as it is often difficult to find - -all- infected diskette. HTH. Good Luck! Dave Hanson Armed Forces Recreation Center Europe Garmisch-Partenkirchen Germany afrc-mis@augsburg-emh1.army.mil Any info would be appreciated. ------------------------------ Date: Wed, 11 Jan 95 05:37:14 -0500 From: "A.Appleyard" Subject: VET queries (PC) My department's 16 public PC's each call VET automatically once a day. Today PC #2 on its early morning boot-up was an unusually long time in VET, and on exit from VET its file C:\VET_LOG.1 said this:- _________________________________________________ CYBEC Pty Ltd, PO Box 205, Hampton. Vic. 3188, AUSTRALIA. (03/613) 521-0655 VET #7.81 Virus Protection Program. (C) CYBEC 1989-94. <<< Set up to run from a file server. >>> Friday, 23 December, 1994 13:07:34 Prepared for Manchester Computing Centre To run on a PC Compatibles under DOS V6.20 *** Integrity Test O.K. *** VET is loaded at 02977:0000h. Top of memory is 09EF6:0000h (635K). Intermediate scan is active. m:\util\vet\VET.EXE: O.K. a:\*.*/rlxah=0 Drive A; Reading boot sector ... DOS Boot Sector Non-std size, may have Jumper virus. Boot sector is corrupted; Will replace it. VET can only fix the following sizes; A 360K B 720K C 1.2M D 1.44M Enter the size (A-D), if you are certain of it, or Q to abort. NB. If you enter the wrong size the disk will be destroyed. : Boot sector should be OK now. Scanning program files in directory a:\ recursively. Hit Esc or Q to stop, space to pause. a:\UUDECODE.EXE has Natas virus. Deleted. a:\UUENCODE.EXE has Natas virus. Deleted. 3 dir(s) & 133 file(s): 4 files were checked. 2 viruses were found. All were repaired, renamed, or deleted. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ (a) What is the email address of the people who write & maintain VET? (b) That PC's hard disk is C:, and at the time it had no floppies in. Why then did it say it found an infected file on `a:'??? (c) How do I get it to clean infected files rather than deleting them? ------------------------------ Date: Wed, 11 Jan 95 11:11:38 -0500 From: dangelo@drmail.dr.att.com (131E50000-D(DR2641)283) Subject: NATAS virus (PC) Does anyone have any technical information about the NATAS virus, i.e., how it infects, the best way to eradicate, etc? Thank you, Diana M. D'Angelo (dangelo@dr.att.com | diana.dangelo@att.com) (303) 538-4274 AT&T Bell Laboratories 11900 N. Pecos St. Room 31F-18 Denver, Colorado 80234 ------------------------------ Date: Wed, 11 Jan 95 14:55:43 -0500 From: dburnett@garnet.msen.com (Doug Burnett) Subject: Best AV software for LAN? (PC) What is the most widely used AV software on LAN. I'm new to the subject and trying to figure out who the big players in LAN AV are. Cheyenne? Intel? Who are the others? TIA - Doug ------------------------------ Date: Wed, 11 Jan 95 16:11:54 -0500 From: corporon@wizard.cse.nd.edu (phillip corporon) Subject: Monkey virus on Staccked Hard Drive (PC) I've come across a computer with the Monkey virus, it also has Stacker installed on it. When I start the process to eradicate the virus by booting from a floppy, I can no longer "see" the drives since the drivers are invoked via the config.sys file. I've duplicated the hd's config.sys file, and appropriate binaries, on the boot floppy but that did not work either. Bottom line: How does one remove the Monkey virus from a "Stacked" hard drive? In the mean time, how does one enable a stacked hard drive while booting from a floppy. Thanks...Phil. - -- corporon@nd.edu ------------------------------ Date: Wed, 11 Jan 95 21:51:28 -0500 From: S1094896@cedarville.edu (Derek Shaw ) Subject: Wanted: info on Sobolanul virus (PC) I came across the SOBOLANUL virus were I work. I wrote a scan and clean for the virus and removed it from the computer, but I don't have much information on the virus. Current versions of McAfees' Scan and F-Prot don' t scan for Sobolanul. Does anybody haveany information? Derek G. Shaw S1094896@cedarville.edu ------------------------------ Date: Wed, 11 Jan 95 23:09:09 -0500 From: johnnyl@iti.gov.sg (Johnny Lee Tiong Chye) Subject: '69' Virus & McAfee 2.1.3 (PC) Recently, after we started using McAfee 2.1.3, we discovered that some of our PCs were infected with 69 boot sector virus. This virus shows an unstable state as it appears and disappears on and off a PC and diskette. Our earlier version of McAfee 2.1.1 is unable to detect it. McAfee 2.1.3 is able to detect the virus but not clean it. For infected hard disks, we use FDISK/MBR to remove the virus. For infected diskettes, we backed up the files and reformatted the diskettes. Will really appreciate if anyone can throw some light to the following queries : 1. Is 69 virus a genuine boot sector virus ? 2. If so, where does it originate from and what harmful effects (if any) can it cause ? 3. What is a safe and easy method of removing the virus ? 4. Does McAfee has a disinfector for the virus ? 5. Any other infor on the virus ? Thanks very much ! ------------------------------ Date: Fri, 03 Feb 95 13:17:12 -0500 From: Zvi Netiv Subject: InVircible review in Virus Bulletin - part 1 of 2 (PC) In reply to an article published in Virus-L: > Date: Tue, 20 Dec 94 00:24:39 -0500 > From: 91406723@brt.deakin.edu.au > Subject: Unfavourable InVircible Review (PC) > I have just finished reading a product review of the InVircible v5.07A > anti-virus software product in the December '94 issue of the Virus > Bulletin. > Can anyone out there defend this review as it raised serious issues > with the product. The conclusion drawn was to avoid it. I am the author of InVircible, the product that the Virus Bulletin "reviewed" in its December 94 issue. The "product review" in the December issue of the Virus Bulletin lacks the customary warning one usually gets with fictional publications, which state: "Any resemblance between the product reviewed in this article with any real products on the market is purely imaginative and not real ... " etc. The poster may also have noticed that the Bulletin didn't attach any comments to the review from the products developer, which is only courteous, to balance the negative and highly opinionated article. In late July '94 I was "overwhelmed with honor" :-) when the Bulletin called upon me to say they had decided to prepare a review of InVircible. It did seem unusual to me that VB would want to review a product that, at that time, was barely known. I have to admit, here, that I do not subscribe to the Bulletin since $400 per year seems expensive and unjustified for a publication that doesn't contribute anything to the development of my product. At the Bulletin's request, our US distributor sent VB a software package with documentation accompanied with my offer to assist the Bulletin and answer any questions the reviewer might have. For three months I didn't hear a word from VB although I did keep updating Richard Ford, the editor, and his assistant Megan Palfrey, with all current developments in IV. Some of the developments were of prime importance such as the introduction of the generic correlator (IVX) which replaced the phased-out virus scanner. I would like to give you some background information regarding the Virus Bulletin at this point. VB is by its own definition a "prestigious publication" about virus and antivirus matters. Somewhere in the fine print, one will find that the Bulletin belongs to the Sophos group, which is the producer of Sweep, a scanner based antivirus package that competes with other scanner based AV software. To support its appearance of excellence, and justify its overbearing price, VB presents you with an impressive gallery of famous names on its board of editors. In late November 94 I finally received Richard Ford's reply (he also identifies himself as "Dicky" Ford on CompuServe's forums) with a draft of the review. Richard gave me three days to comment on a three page review that took VB almost three month to prepare. I was obviously naive in letting the Bulletin prepare the unsolicited (from my part) review, and played into the Bulletin's hands. Upon reading Dr. Keith Jackson's article (the VB reviewer), it became pretty obvious that VB had an ulterior purpose in the review. They were not interested in reviewing an antivirus package that was, and is, becoming increasingly known for its effective and sophisticated approach to viruses. Their motive was simple: To kill InVircible as a viable competitor to their own conceptually outdated product before it became a real threat to the established and entrenched AV industry, and probably to the very existence and need for a publication like the Bulletin. The editors weren't ignorant of the fact that a product like InVircible could develop to the stage it has without needing virus sources and libraries, at all. The antivirus industry's existence depends on its ability to rapidly put its hands on new viruses and produce updates in the losing battle they conduct against the flood of new viruses written every week. Five years ago, the antivirus producers didn't collaborate with each other. Everyone operated in isolation. But since 1990, most producers have understood that their only chance for survival was in collaboration, at least at the level of exchanging information on new viruses, since none of them could afford that effort required to do this alone. That's how organizations like CARO, the NCSA and the Virus Bulletin came about. As InVircible is not an antivirus "scanning" product and it does not depend on a constant "feed" of new virus signatures, it's independence could become dangerous to the rest of the industry. End-users could discover that they have been fooled for years into thinking that frequent "updates" to AV products was necessary for effective antivirus protection. This mistaken belief on the part of end-users has kept them a captive market for AV developers that produce ongoing and many times unnecessary antivirus updates. The developers make money from the erroneous belief of end-user's that AV protection requires them to frequently update. This is only true for product's that use virus-specific methods of detection and repair. InVircible, on the other hand, is a generic product that does not function primarily on the basis of virus-specific detection and repair routines. Therefore, it does not need to be frequently updated. The VB strategy was simple: As most users and readers equate antivirus protection with scanning, then show what a "poor" scanner InVircible is and it's dead! :-) It doesn't matter that IV isn't a scanning antivirus at all. It doesn't matter that InVircible offers far superior antivirus protection using generic methods. Since end-users have been led to believe that only "scanning" will protect them, InVircible will be perceived as useless if it shown to have a poor virus "scanning" detection rate. After the Bulletin gave its verdict to "avoid" InVircible then most end-users wouldn't even bother to evaluate it independently. In effect, they would never learn about an alternative to traditional "scanning" based approaches to antivirus protection and the industry would be preserved. When I told Richard Ford that his review was full of factual errors and that the reviewer didn't even evaluate all of InVircible's different functions (the reviewer admitted this himself!), he then gave me the Devil's choice: Either to add a 500 word rebuttal, or to see the review published without it. I asked in return either to publish my rebuttal in the same issue, with the same length as the VB review, or to abstain from publishing the maliciously intended and fabricated review. I would have been a fool to legitimate the review by accepting Richard's disingenuous and deceptive offer of a 500 word rebuttal. Richard has ignored my messages and faxes since I refused to accept his offer; and, he didn't even give me the courtesy of informing me that the Bulletin published the review. As said earlier, I do not subscribe to VB and I have no intention of doing so. The biggest farce was yet to come. Since I didn't want the Bulletin to make "corrections" to the flawed review, I requested that the floppy with the program be returned to me and THAT THE REGISTRATION BE UNINSTALLED BACK FROM THE HARD DISK TO THE FLOPPY, before it was returned to me. Dr. Jackson, the reviewer, replied that he airmailed the floppy back. But, and this is important, he couldn't uninstall the registration from the machine he used for preparing the review since, "The computer in question is currently 300 miles away, and is in use by somebody else." When I checked the returned diskette, the TWO REGISTRATION KEYS WERE ON THE FLOPPY, which simply means that the software was never installed properly to the hard disk; and, the reviewer could not, and did not, evaluate InVircible in it's "full authorization" mode of operation. Furthermore, Dr. Jackson gives proof by his own words that he failed with the installation. At the end of the review he writes: "Many features are unavailable unless execution takes place from the original floppy disk, not a backup copy." The facts are that once the installation is properly completed, the original floppy can be stored in a safe place and _all features are available_ with no restrictions! This means that the review is based on an evaluation of InVircible in its "sentry" shareware mode of operation. A few advanced features of InVircible are non-functional until the product is registered. One such function is the generic integrity checkers (IVB) ability to restore virus-damaged files to their original condition, byte-for-byte, right down to their original time and date stamp! The registered IVB can restore virus damaged files more effectively than any other product currently available to PC users. Draw your own conclusions. Did the Bulletin evaluate InVircible properly? Or, did it perform an incomplete evaluation. The conclusion is inescapable. The reviewer did not evaluate InVircible since he never completely installed it on his system. He admitted in his review that he did not test all of InVircible's programs. However, he did not admit that he failed to evaluate InVircible while it was fully functioning. He didn't even realize the fact that he failed to install the software in "full authorization" mode. I think most people can draw an additional conclusion from this fact. Dr. Jackson's ability to judge the worth of InVircible should be suspect and viewed carefully. After all, what else might he have failed to do properly? Rather than leave you guessing about the many errors and factual inaccuracies in the Bulletin's review I have made annotations to the pre-publication copy of it sent to me by Richard Ford, below. ===================== The VB review, commented. ======================= VB> InVircible: InVincible? by Dr Keith Jackson VB> InVircible, 'The World's most effective anti-virus system', claim its VB> vendors. 'InVircible, The Ultimate Anti Virus Protection', says a file VB> on the product's master disk. Does the package live up to its claims? VB> This product consists of a scanner, several 'repair utilities', and an VB> integrity checker which claims to be able to detect known and unknown VB> viruses. It also offers network capabilities and operation under OS/2, VB> which were not included in the tests, as this review concentrates on VB> the DOS software. The integrity checker and the scanner include VB> features which purport to be able to remove viruses from infected VB> files. Plain deception. The documentation, both printed and on-line hypertext states clearly that InVircible is a _generic_ virus detection and disaster recovery system. The documentation emphasizes and strongly recommends that users do not rely on the scanner as the primary AV tool in the package since it is merely a platform for certain generic techniques, which the reviewer did not test or even understand, as will be described later. By emphasizing InVircible's scanner the reviewer laid the basis for his dismissal of InVircible as an effective AV package in the conclusions of his review. InVircible is not a scanner. The product uses far more effective methods to combat viruses. VB> Documentation VB> The manual, an unbound, unindexed, 46-page A5 booklet, provides a good VB> description of the theory behind InVircible, and an adequate explanation VB> of how to use its individual components. Readability, however, is not VB> helped by the fact that pages 28A and 28B are simply stuffed in between VB> pages 28 and 29, with no attempt made to maintain continuity. Deliberate nit picking. Even when giving a compliment on the good description of the theory behind InVircible he cannot refrain from focusing upon meaningless details. It is an insult to the readers' intelligence. It assumes they are unable to recognize that 28a and 28b are provisional inserts offered to user's. We think that we render a good service to our customers by providing immediate documentation, as soon as we upgrade the product, rather than withholding it until an new printing of the manual. Unfortunately, it would appear that providing the reviewer with this late-breaking news about the product was insufficient to educate about it. By the way, the above insert described the new generic hyper-correlator, IVX, an important addition to IV, that was first introduced in the version sent to Dr. Jackson. It's ironic that when I told to Richard that Dr. Jackson didn't understand the product, he still didn't address any questions to me. Here is what Ford answered: RF> One of the points of Keith's review is that if you want to do things RF> differently, you need to made certain you explain the logic fully RF> *in the documentation*. Well dear Editor, this is exactly what I did, and Dr. Jackson admitted so himself! VB> The documentation is prone to making claims which are palpably untrue. VB> For instance, its scanner is claimed to be 'faster, safer and more VB> efficient than any other on the market'. InVircible is indeed fast at VB> scanning, but certainly not the fastest; ThunderBYTE (to name but one VB> competitor) beats it hands down. The scanner's efficiency at virus VB> detection is also noticeably poor (see measurements below). Again: Notice that of the six modules in InVircible the reviewer singles out and focuses upon the scanner so that he can later justify the one "test" he performed on InVircible which was of IVSCAN. Dr. Jackson's "test" was not a valid one. Testing InVircible by evaluating IVSCAN's virus detection rate is like evaluating the worth of a weapon based upon the size of its container. We all know that it is the "payload" that counts, not the size of the shell that holds it. VB> Scanners in general are rubbished in the documentation, in such phrases VB> as: 'Polymorphic viruses have rendered scanners effectively useless VB> since they cannot be removed by an algorithmic approach'. This is, of VB> course, untrue. The manual also contains a two-page diatribe against VB> memory-resident components, which, despite some salient points, does VB> spoil its arguments through over-emphasis. Scanners and their perpetuation are Dr. Jackson's main goal and interest. If InVircible really does what it claims to do then scanners could become history and who would then need his expertise in testing them? VB> Copy Protection VB> Regular readers of these articles will know that VB does not review VB> copy-protected products, taking the stance that such products breach a VB> fundamental rule of security; i.e. the maintenance of accurate and VB> plentiful backups of all disks. The introduction to InVircible's manual VB> states that the product is copy-protected, but when asked, the vendors, VB> New Castle International, denied this, describing the process as VB> 'registration or personalisation'. VB> The company claims this to be similar to procedures used by products VB> such as QEMM and Stacker, both of which require user registration VB> information to be written back to the floppy disk used for installation. VB> They omit to say that it is possible to make as many backup copies as VB> desired of QEMM and Stacker floppy disks, and to install from these VB> backups, unlike InVircible. Further, the developers claim that this VB> scheme is 'favored by corporate and institutional users'. If so , why VB> pretend it is not copy-protected? VB> If InVircible is installed from a copy of the original floppy made using VB> DISKCOPY, not all its features are available, despite the fact that VB> DISKCOMP thinks the original floppy disk and the copy are identical - VB> restoration functions are disabled. It is thus not possible to take a VB> complete backup copy of a floppy disk: where this is so, the product is VB> copy-protected. The rest is marketing fog, designed to confuse. Plain rubbish. As explained before, the reviewer didn't even notice that he was evaluating a non registered copy. Secondly, InVircible is distributed freeware (the very same software that the reviewer used!) on the Internet, Compuserve, Simtel, AOL and countless BBSs! Furthermore, the registered floppy can be formatted and will retain it's registration! Moreover, the rescue diskette that the reviewer probably never prepared, and constitutes a crucial component in the InVircible concept, retains a copy of your registration too. The IV ResQdiskette can be duplicated as many times as one wishes by plain DISKCOPY. Now comes an interesting one! InVircible, in its UNREGISTERED form is more useful than any other antivirus product. Fact: On the new year's eve, IVX, the generic hyper-correlator, succeeded in eliminating the SOURCE of repeated outbreaks of a virus in one of the biggest American software enterprises! The virus attacks (by Dark Avenger, alias Eddie) repeated themselves on hundreds of file servers in the production lines, sometimes three times a day! None of the king's horses and scanners used could solve this problem. IVX located the source of the virus immediately. A desperate technician, working for that firm, downloaded InVircible from Compuserve. In a couple of days he figured out how to use and interpret IVX. With it he found several RELATED droppers (two stage droppers, very sophisticated activation) and removed them! The technician, without academic training and with no background in virus matters, could figure out in a few days what Dr. Jackson couldn't (or perhaps didn't want) to understand in two months, in spite of his academic degree and his self proclaimed expertise in virus and antivirus matters! VB> Installation VB> The installation process creates its own directory on drive C, then VB> scans for viruses, copies the required files, and creates a set of VB> 'Integrity Signatures'. Two lines are inserted at the beginning of VB> AUTOEXEC.BAT which verify the PC's integrity before other programs are VB> allowed to execute. What about viruses which may be inside already VB> installed EXE files as device drivers when AUTOEXEC.BAT is executed? VB> Installation also produced a series of high-pitched squeaking noises VB> whilst InVircible files were being copied. Most odd. The comment about viruses that install as devices shows that the reviewer didn't actually test IV but rather speculated upon what he read and thought that he understood. If he had tested InVircible instead of speculated about (based on outdated assumptions and ideas), he would have found and learned how InVircible does it. IV has the most comprehensive generic virus detection techniques there are. The IV tests are PURPOSELY put in the autoexec.bat and NOT in the config.sys, as they are based on the positive identification of viral activity - which shouldn't be confused with activity monitoring. The more programs that are run before IV's tests are launched the better are the chances of detecting anything suspicious! The reason we install the IV tests at the beginning of the autoexec.bat is to avoid conflicts with other antivirus programs that some intimidated users still keep in their autoexec. Normally, users give up scanning and antivirus TSR, after gaining confidence with IV. The Antivirus Practice Lab (AVPL) - another of our freeware products - expedites this developing confidence since it provides hands-on near real virus experience. AVPL is a must for all the users who depend on other people's (and self proclaimed experts') opinions! :-) VB> When the installation process was complete, InVircible had added itself VB> to the MS-DOS PATH, and five files to drive C's root directory. Such VB> file scattering is unforgivable. The product's report files are also VB> created in the root directory, rather than in its own, which would be VB> far more sensible. Here is some free advice: When you don't understand the reason for things, either ask or keep silent. People may perceive it as wisdom. But don't cry your ignorance out loud. The "unforgivable" files in the root directory have a purpose. They are there for disaster recovery. As such, they must be traceable even if booted from a floppy, or when started without a search path, or when run from a floppy. In emergency situations one cannot rely on knowing whether IV was installed with its defaults or the user preferred to bury IV deep down in an inaccessible Stacker or DoubleSpace volume! VB> After everything was installed, a message appeared onscreen saying: VB> 'Prepare the Rescue Diskette immediately after rebooting'. Rebooting is VB> requested, not enforced - nothing onscreen warns users to remove the VB> master disk first. The rescue disk is set up as a bootable floppy, and VB> information about the partition, the boot sector, and file integrity is VB> copied across, as are InVircible's own files. This floppy can be used to VB> great effect when a virus has affected a hard disk. At last a paragraph with only one insult, underestimating the users' intelligence. VB> Most of the product's features are accessible from within a single menu VB> program. This has a cluttered interface which continually displays a VB> list of the amount of DOS memory available, the current integrity VB> database filename, space available on the target disk drive, frequency VB> with which integrity checks are made, and 'authorization status': i.e. VB> whether or not copy-protected features have been installed. Although a reviewer's opinion is acceptable, it seems that Dr. Jackson is surpassing himself in being petty in an effort to discredit IV on all fronts. The user interface is one thing that everybody understands and the general response to IV's is that users love it. :-) VB> Scanning VB> Buzzwords abound in the scanner as elsewhere in the product: for VB> instance, the help feature for the scanner says that it is 'equipped VB> with the SeeThru (c) anti spoofing feature and a generic boot code VB> analyzer' - plain English would be infinitely more useful than this VB> jargon. In Dr. Jackson's language, "buzzwords" stands for "I failed to understand this" or "I failed to test this feature, since I failed to install the program properly on my disk." Which failure on the reviewer's part that "buzzword" refers to depends on the specific aspect of InVircible he is discussing. :-) VB> When InVircible starts a scan, it displays the directory tree of the VB> selected drive, then waits for the user to select a directory. If the VB> root directory is chosen, the entire disk is scanned. Scanning an entire VB> disk or a specific subdirectory seem to be the only available scanning VB> options, and it is not possible to scan down part of a directory tree VB> recursively. Wrong! The menu oriented mode is a single directory mode indeed, the command line one will let you do whatever you wish, including sub-dirs. Just type the \TOP-DIR after the selected command. :-) VB> InVircible took 1 minute 15 seconds to scan the hard disk of my test PC, VB> a timing which rose to 1 minute 19 seconds when the provided PIF file VB> was used to execute the scanner in a DOS box under Windows. In VB> comparison, Dr Solomon's AVTK took 1 minute 10 seconds to carry out the VB> same task; Sophos' Sweep took 2 minutes 4 seconds in 'Quick' mode, 6 VB> minutes 26 seconds in 'Full' mode. Sounds very good! Yet, IV's scanner is used very rarely, in fact almost only for the installation of IV to the hard disk. The daily scan is the integrity checker's. According to the above performance, it should have taken about 12 seconds, once a day! The routine startup tests of IV take about 1 to 3 seconds, depending on the machine. A once-daily full integrity scan on 450+ MB of files requires about 1 minute and 30 seconds on a DX2-66 machine. Because of its length, this article was posted in two parts. Part 2 deals with key features of InVircible such as accuracy in virus detection and of removing them, integrity checking and generic recovery (which as Frisk - the VB's technical editor - rightfully stated, is one of IV's strongest parts), and the entirely new technology of the generic correlator, which was totally dismissed by the reviewer. Commented by Zvi Netiv, NetZ Computing, Israel email: Zvi Netiv ftp: ftp.netcom.com/an/antivir/invircible Fax: +972 3 532 5325 ------------------------------ End of VIRUS-L Digest [Volume 8 Issue 6] ****************************************