VIRUS-L Digest Monday, 6 Feb 1995 Volume 8 : Issue 7 Today's Topics: Virus Researchers Incompetent? Exsvira? "Live Robots" by Rucker dinamo(kiev) Champion !!! (PC) Re: question on virus (PC) MONKEY_B & ANTIEXE viruses (PC) Both Form and AntiExe? (PC) NYB Virus (PC) Natas (PC) info request on AntiCMOS.A (PC) How to clean 69 and AntiCOMS ?? (PC) virus detection (PC) F-Prot (PC) Barrotes virus (PC) unknown possible virus--new post (PC) EXEBUG virus in Novell network (PC) Stoned Variation (PC) Help, Monkey on my back!! (PC) 69 virus (PC) Network Scans (PC) icarus virus-utils (PC) Do you have features of 2KB Virus ??? (PC) Re: McAfee vs Central Point vs F-Prot (PC) "FORM" virus (PC) Virus Protection Software (PC) GENB Queries (PC) Coruna 4 infection (PC) Invircible software review (PC) Virus questtion... (PC) AntiCMOS A - Desire Info (PC) Re: Junkie virus (PC) Re: Stealth C virus (PC) BACKFORM virus (PC) Is "jumper" an alias for "2kb"? (PC) W-BOOT.A (PC) boot sector (PC) Need info re: "Wolfgang Gullich" Virus (PC) f_def482.zip - File Defender Plus: File protection driver McAfee VirusScan 2.1.4 uploaded to SimTel (PC) InVircible review in Virus Bulletin - part 2/2 (PC) 12th Annual ISSA Conference & Exposition VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CORSA.UCR.EDU (IP number 138.23.166.133) or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CORSA.UCR.EDU. Administrative mail (e.g., comments, suggestions, beer recipes) should be sent to me at: krvw@ASSIST.MIL. All submissions should be sent to: VIRUS-L@Lehigh.edu. Ken van Wyk ---------------------------------------------------------------------- Date: Sun, 08 Jan 95 15:51:25 -0500 From: arfman2@aol.com (Arfman2) Subject: Virus Researchers Incompetent? The following is a quote from Geoff Chappel, author of DOS Internals regarding anti-virus researchers. This note appears as a public posting in CompuServes Doctor Dobb's Journal Forum under the Undocumented Corner. >>Subj: BUG in DOS 6 w/F5 key Section: Undocumented Corner >>From: Geoff Chappell 100043,564 # 78864, * No Replies * >> To: Leonard Gragson 73131,1034 Date: 08-Jan-95 11:26 >>OK, I'm not so naive that I have believed that anti-virus people actually >>disassemble viruses to discover how they work - but I'm idealistic enough >>to believe that you ought to and I'm cynical enough to believe that many >>uninformed users think that anti-virus defences are the product of careful >>analysis. I have not posted the entire note, though this is the only segment that deals with virus researchers as a class. Mr. Chappell and I had a disagreement over whether a particular piece of code was a virus or not. I thought all the researchers on here would like to see what a published author has to say about virus researchers. ------------------------------ Date: Fri, 20 Jan 95 03:31:08 -0500 From: sayhow@technet.sg (Foo Say How) Subject: Exsvira? My boss dropped me a note : When I was in Europe I saw in the news that a certain German acadermic (Bugavitch?) have converted electronic panel board with the name of Exsvira can prevent virus in the computer. Please find out. Ok, any one has any clue on this? Any way to contact this acadermic? Thanks in advance. - -- FOO SAY HOW .... foo say what .. foo say who ... foo say when .. foo say why - ------------------------------------------------------------------------------ Please note E-Mail address changed due host configuration changes NEW E-MAIL ADDRESS : sayhow@technet.sg Company: Systran (S) Pte Ltd ADDRESS: 133 New Bridge Road #21-01, Chinatown Point, Singapore 0105 TEL: 65-7327007, 65-5388449 FAX: 65-5388515 ------------------------------ Date: Thu, 19 Jan 95 14:34:42 -0500 From: "Rob Slade, Social Convener to the Net" Subject: "Live Robots" by Rucker BKLIVRBT.RVW 941223 "Live Robots", Rucker, 1994, 0-380-77543-3, U$5.99/C$6.99 %A Rudy Rucker %C 1350 Avenue of the Americas, New York, NY 10019 %D 1994 %G 0-380-77543-3 %I Avon Books/The Hearst Corporation %O U$5.99/C$6.99 %P 357 %T "Live Robots" This is a double volume, originally published as "Software" (1982) and "Wetware" (1988). The basic premise is the tension between "thinking" robots (called "boppers" or "bops") and humanity. Two items are of interest. The first is the development of machine intelligence, which we see only in retrospect. The growth of artificial cognition is promoted by a type of genetic programming. The original programmer builds "immutable" instructions into the robots to submit their software to some minor random variation every ten months. The robots are also to build replicas of themselves during the ten-month period, although these seem to be primarily for replacement purposes, rather than reproduction. The concept of "immutable" code is interesting here, since it would be subject to the same variation as all the other programming. As well, the ten-month "generations", and the few dozen initial robots, would result in a very slow evolution. The concepts, though, are quite sound, and very similar to "real" genetic programming. The other point of interest is raised in the last few pages of the latter book. A computer virus is let loose in order to foul up the network of the authorities for a few hours. (The virus is let loose from a graphic, but ...) The point is correctly made that once the existence of a network virus is known, effective defences take only hours to build. (In this case, that is all that is necessary.) A very good understanding of the concepts, for such an early (1988) work. copyright Robert M. Slade, 1994 BKLIVRBT.RVW 941223 ============= Vancouver p1@arkham.wimsey.bc.ca | "If a train station Institute for Robert_Slade@sfu.ca | is where a train Research into rslade@cue.bc.ca | stops, what happens User p1@CyberStore.ca | at a workstation?" Security Canada V7K 2G6 | Frederick Wheeler ------------------------------ Date: Thu, 12 Jan 95 10:32:23 -0500 From: maren@helix.nih.gov (Maren) Subject: dinamo(kiev) Champion !!! (PC) How do i get rid of this virus? It has infected one person's computer and she cannot even boot it up properly now. F-prot finds the problem and says to run fdisk /mbr. Is there any other way to get rid of this dinamo virus ? thanks. ------------------------------ Date: Thu, 12 Jan 95 11:06:17 -0500 From: fbultot@vub.ac.be (BULTOT FREDERIK) Subject: Re: question on virus (PC) Laurent Aureyre (aureyre@grenet.fr) wrote: : I've got a big problem with my PC computer... : I've got a virus called 2KB, I know the name because I used a program : (virus scan) which is stupid because it gives me the name of the virus but : can't repair my system. : I know that my virus is in the master boot sector but I don't know how to : remove it. Somebody told me that I can do something with the FDISK option : of the Dos 6.22 but I don't know how to use it.... try FDISK /mbr take a look at "mcafee.com : /pub/antivirus" and get cleanXXX.zip or try something else ... ------------------------------ Date: Thu, 12 Jan 95 15:00:21 -0500 From: ckokesh@expert.cc.purdue.edu (Christopher Kokesh) Subject: MONKEY_B & ANTIEXE viruses (PC) Does anyone know anything about these two viruses? When I run Mcafee's Vshield it says the Monkey B is in my memory and that my boot partition is infected with the ANTIEXE. Can these be removed? Also, when I run Mcafee's Scan it doesn't detect the ANTIEXE but does detect the Monkey B. I've tried turning the computer off and booting off of a clean floppy, but it still says I have Monkey B! Any help would be greatly appreciated! Thanks, Chris (ckokesh@expert.cc.purdue.edu) ------------------------------ Date: Thu, 12 Jan 95 15:16:19 -0500 From: Bill McGeehan Subject: Both Form and AntiExe? (PC) I have been given a 3.5 inch HD diskette that *seems* to have two viruses on it. I'm using F-PROT 2.15 under DOS 5.0. Using the automatic disinfect option, F-PROT reports that I have the AntiExe virus, and since I have the automatic disinfect feature turned on, it also tell me "Virus infection(s) found and removed". Then when I scan it again F-PROT reports the Form.A virus, which it also claims to automatically remove. Beautiful so far. But when I scan additional times, F-PROT again reports the AntiExe, then the Form.A and so on in a continuous loop (as long as I keep asking F-PROT to scan)! This doesn't seem to be a phantom virus or false positive, since I rebooted and checked the same diskette and got the same results. I can retrieve the information on the infected diskette, that's not a problem. What I'd like to know is what's going on. If less knowledgeable users were to encounter this problem, they wouldn't have run F-PROT a second time, assuming that all viruses were removed *as claimed*. Has anyone else seen this kind of problem? I don't know enough about MBR's, DBR's, and disk editing programs to dump this data and analyze it, so I'm hoping someone can tell me what is happening and what action to take. Bill McGeehan, Smithsonian Institution Computer Security Manager ------------------------------ Date: Thu, 12 Jan 95 16:07:08 -0500 From: pbooth@robins.af.mil (PHIL BOOTH) Subject: NYB Virus (PC) NYB-boot Virus Information Description NYB-boot is a new virus that infects the MBR on hard disks and the BR on floppy diskettes, but it does not infect the program files. The virus relocates the original contents of the MBR/BR to another place on the disk. On hard disks, the MBR is moved to sector 17, on head 0, cylinder 0. On floppy disks the location is the last sector of the root directory, which depends on the capacity of the diskette. For example, on 360K diskettes ( remember those?), it will be at sector 14, on head 1, cylinder 0. The virus stays resident in memory just below the top of conventional memory. It reduces the base memory size by 1K. For example, a system with 640K base memory will appear to have 639K after the virus goes resident. Once loaded in memory, NYB-boot points the disk access vector (INT 13h) to its own handler. It examines the read and write requests, and infects the MBR/BR if it is not already infected. The handler also has stealth capability to mask its presence on the disk, and to protect itself against being overwritten. For example, you cannot use a general purpose disk sector editor such as Norton Utilities (tm) and modify the MBR, where the virus is located, as long as the virus is active in memory. You will most likely get an error message about the operation. The coding style in the virus suggests that its author is relatively experienced in PC assembly language; there is an apparent attempt to minimize code size and to use tricky code ( t make reading it difficult). The virus fits in one sector. The partition table or the BPB (BIOS Parameter Block) is kept intact during infection. on an unprotected diskette will cause it to get infected. Diskettes in both A and B drives are infected. The virus transfers from infected diskettes to hard disks if the system is booted off the infected floppy. Once the hard disk is infected, any unprotected disks used in that system will become infected variants. Doing a simple DIR Diskettes used for backup with a program that has its own disk format may become corrupted and lose data. The virus checks the BIOS timer tick counter and executes a loop that contains a VERIFY SECTOR instruction. This may confuse certain software and give the impression of disk problems. The virus itself does not appear to have deliberate overwriting of data. The diskette can also become unusable if this mechanism triggers. re Z-RAM Inc. P.O. Box 2087 Annapolis, MD 21404 1-800-638-2000 Phil Booth pbooth@wrdis01.robins.af.mil ------------------------------ Date: Thu, 12 Jan 95 20:16:05 -0500 From: Roberto Parker Subject: Natas (PC) Mexico was under Natas attack for some months. We developed an efffec tive Natas AV. Aftedr extensive testing it gives false posotives when scanning a lemmings or 1226M infected file. Any interest? Natas is prettey good. Regards Roberto Parker Mexico City ------------------------------ Date: Thu, 12 Jan 95 23:07:42 -0500 From: dwjackso@nyx.cs.du.edu (Donald Jackson) Subject: info request on AntiCMOS.A (PC) I would appreciate any info on a virus that most antivirus programs don't yet handle: AntiCMOS.A It's a boot sector virus. That's all I really know. F-Prot 2.15 detects it, but doesn't offer removal. A friend said that NAV 3.0 (new off the shelf) detected on his hard drive during installation. In particular, what size boot sectors or master boot records (for hard disks) does this virus infect? Is it malicious, if so, doe it have a trigger (time/date/etc.), or does it just replicate itself and do unintentional damage due to common assumptions made by viruses such as the size of the floppy disk it's infecting? I found one lost cluster, and a couple of hidden files (a ~-something.DOC MS Word file and file from a screen save called SlideShow - PUZZLE.EXE - both files tested negative for viruses). Does this virus hide in sectors marked "bad" or otherwise encrypt/morph/stealth itself? Any and all information is appreciated. Please respond via email to donald.jackson@psyberdyne.com, or reply via email to the account from which this was posted, it will be forwarded to me. I don't normally follow this newsgroup, so any info on how I can get a comprehensive list of viruses (esp. new ones) so I don't clutter up the usenet any more than I have to will also be very much appreciated. TIA- Donald Jackson ------------------------------ Date: Fri, 13 Jan 95 12:22:27 -0500 From: leeng@technet.sg (Vei-Ming Chong) Subject: How to clean 69 and AntiCOMS ?? (PC) Recently I have seen quite a few 69 + anticmos virus. Any suggestion on GOOD virus cleaner and detector for them? Many thanks! Vei-Ming ~~~~~~~~ .----------------------------------------. | Vei-Ming Chong, R&D Department | | Optics Storage Pte Ltd, Singapore | |----------------------------------------| | Tel : (65) 382-3100 | | Fax : (65) 281-2786 | | Internet : leeng@einstein.technet.sg | `----------------------------------------' ------------------------------ Date: Fri, 13 Jan 95 13:33:01 -0500 From: Iolo Davidson Subject: virus detection (PC) news@hpg30a.csc.cuhk.hk "" writes: > In the market, which virus detection software is the best? January 1995 "SECURE Computing" gives Editor's Choice to Dr. Solomon's Anti-Virus Toolkit, and Recommended to F-Prot Professional and Thunderbyte. This is in a review of 17 anti-virus products, testing only the stand-alone virus scanner part of the product. The checksummer and memory resident components are to be tested in a review in the February 95 edition. (I am the technical editor of "SECURE Computing".) - -- SAID ONE WHISKER WITH THIS STUFF TO ANOTHER BROTHER CAN'T GET TOUGH Burma Shave ------------------------------ Date: Fri, 13 Jan 95 19:02:33 -0500 From: creid@ccinet.ab.ca (C. Reid) Subject: F-Prot (PC) I am a new user on the internet and am having difficulty trying to locate a certain file. I would appreciate it if somebody could point me in the direction of the virus protection program F-Prog. Or any other similiar program. If possible could you please contact me via-Email creid@ccinet.ab.ca Thank you David Reid ------------------------------ Date: Fri, 13 Jan 95 23:15:28 -0500 From: GeorgeAl@ix.netcom.com (George Alexeief) Subject: Barrotes virus (PC) I recently came across the Barrotes virus on two machines in my organization. I ftp'd from mcafee.com, their scan117, and used it to successfully identify seven .exe files that scan117 showed as infected by the following: Barrotes [Bar] Barrotes [B5] Do I understand the dual references to Barrotes correctly, i.e. that it was a single virus infection (with 1k addition to the .exe files) which left two signatures (bar, and B5), which clean117 can then deal with? or are these two related but distict viruses working in tandem? the viruslst.txt file only lists the first entry, so I hope that the B5- "strain" doesn't have additional attributes (like burrowing or poly- morphism). Can anyone advise? george a. los angeles, california ------------------------------ Date: Fri, 13 Jan 95 23:28:11 -0500 From: tr5374@csc.albany.edu (REYNOLDS THOMAS) Subject: unknown possible virus--new post (PC) I apologize in advance if I'm merely being stupid, but I observed strange behavior right after getting F-Prot 2.13a at school in 09/94. The next day, I went to the school computer I'd copied from, ran its own F-Prot on it and it found a virus (Form, I believe, or maybe Stoned--I'm not sure now). The day after, several computers by it were roped off, all virused. Chkdsk at the time of the strange behavior showed a decrement of approx 17K memory; then shortly after, a decrement of only approx 8K; then only 32 bytes. I'll not describe more details--perhaps they're not important. I've been reading comp.virus since then, but noone at school has been much help. I've tried shareware F-Prot through 2.15, but nothing definite ever found; McAfee Scan 114 and 117 find nothing; and my old CPAV from early 94 finds nothing. I tried fdisk /mbr and sys from a good floppy. Now I try to learn to use PCTools DiskEdit and look at files in hex, and find the three basic system .COM (and PCTools vwatch.com, identified (1st) by F-Prot 2.15 heuristics as "modified") all start with E9, which an October 1994 post by Kevin Marcus (very informative) said was a characteristic of infected .COM files. Also odd, the end of the hard drive is all hex "36" bytes for very many sectors except for approx 2 1/2 lines at the start of the sixth sector from end (120MB drive, approx 47MB never used yet). Can someone help me, even if only to tell me I'm worrying too much? Thanks very much. Tom Reynolds, tr5374@cnsunix.albany.edu (We seem to get comp.virus only in occasional batches.) ------------------------------ Date: Sat, 14 Jan 95 10:22:19 -0500 From: inform Subject: EXEBUG virus in Novell network (PC) Does anyone know how you can destroy the virus EXEBUG in a Novell Network. What is at the moment the most powerful anti-virus software for a Novell network ? Thanks a lot. Katia ------------------------------ Date: Sun, 15 Jan 95 04:22:29 -0500 From: Jason Wilkinson Subject: Stoned Variation (PC) Norton Anti Virus detects a "Stoned Variation" virus on my system. When I boot from the hard drive everything seems fine but the virus is resident in memory. Now when I boot from a clean floppy, my hard drives become inaccessible to me responding with "invalid drive specification" so that I am not able to this crappy little boot sector virus. Could someone please offer me some suggestions. ------------------------------ Date: Sun, 15 Jan 95 14:21:20 -0500 From: amiel@umr.edu (Jeffrey A Amiel ) Subject: Help, Monkey on my back!! (PC) Ok....The old monkey virus hit me hard..... Noticed the computer running sluggish.... ran Mcaffe Scan 117 and lo and behold, Monkey [Mon] was found. It was not until I accidentally infected 2 clean boot disks (write protect) that I wised up. There was a point when I was infected where I could still read files... now I have 4 non-dos partitions on the drive and Clean 117 wont touch it (can't acess drive C---invalid drive) Does Monkey attach itself to exe files?? Did I get this from something I downloaded off of Simtel or does it only reside in the boot sectors of floppies and fixed disks?? Am I screwed?? Is there any hope for getting my partitions back to normal or do I format, clean, and resort to my 10 day old backup? I emailed Mcaffe, but with the holiday weekend, I doubt they will get back to me in time.... Any help would be MUCH appreciated. Jeff Amiel amiel@umr.edu ------------------------------ Date: Mon, 16 Jan 95 10:31:19 -0500 From: cuthbert@temasek.teleview.com.sg (Shepherdson Cuthbert Nicholas) Subject: 69 virus (PC) Hi there, I recently came across this virus which can be only detected by this version of Scan and probably later (tried a beta 2.1.4). Ironically, I could not find out any info of what this virus can do or what damage it can cause. I thought initally that it was a false alarm, but F-Prot and TBAV also detect the possibility of a boot sector infection on diskettes detected by Scan 2.1.3. The virus can spread very easily. All you need to do a DIR command on an infected diskette, and the virus goes into the memory of your PC. Every disk that you do a Dir is also infected. It can also the infect the Harddisk (tried this out). I removed the virus from the hard disk using the FDISK/MBR command and powered off the PC. For diskettes , it 's a big problem. Got a number of diskettes infected, will need to reformat them. Well, has anyone else come across this virus and knows what it maliciously does? and knows of better ways to remove this virus from infected diskettes. (Actually got program from a BBS here to just overwrite the boot sector which does remove the virus...only thing that all my diskettes have the same vol no...) Can anyone comment/advise? Thanks Bert ------------------------------ Date: Mon, 16 Jan 95 22:39:53 -0500 From: jdaro@netcom.com (Jeffrey Daro) Subject: Network Scans (PC) I am looking for a virus scan/removal system that would be powerfull over a novell and/or NT server network. Price is really not a problem as this is for a very importat network. Does anyone know fo a good scan/cure? I am interested in all options store bought or net shareware. Thanks. - -- - ------------------------------------------------------------------------------- | Jeff - Daro@Ukko.Rowan.Edu | | | JDaro@Netcom.Com | My only love sprung from my only hate! | |----------------------------------| Too early unknown, and known too late! | | T A Z M A N I A | | | Ukko.Rowan.Edu 5000 | | - ------------------------------------------------------------------------------- ------------------------------ Date: Tue, 17 Jan 95 10:09:50 -0500 From: Alfred JILKA Subject: icarus virus-utils (PC) hi all, my boss just gave me a complete suite of icarus virus-utils for evaluation. It contains versions for DOS, WINDOWS and NETWARE. Though I heard that some experts were impressed by their virus-definition-language I'm not sure about the effectiveness of the product itself. Is there anyone out there in netland to comment on this product ? TIA, Alfred - -- ...^^^^^.. ******************************** A U S T R I A . Linz : * Geological Survey, Austria * : * * : * * :* Vienna: * jilka@gbaws4.zamg.ac.at * :^^^.........:. Salzburg : * * : * Innsbruck : * Phone: +43/1/712-56-74/96 * ........... HOME Graz : * Fax: +43/1/713-64-57 * :.. * * ...: * * :........: ******************************** BB | !BB William Shakespear ------------------------------ Date: Tue, 17 Jan 95 10:17:00 -0500 From: excoffier@cemag-lyon.fr (David EXCOFFIER) Subject: Do you have features of 2KB Virus ??? (PC) Hi netsurfers. I've a problem, Numerous PC's HDD & Floppies have been infected by 2KB VIRUS (according to Virus Scan from McAfee) We're in phase of eradication of this virus, but lotsa users ask me what are the features of this virus and how dangerous it is. I absolutely have no answer to their questions (except than 2KB is a virus resident in the Master Boot Record, or Boot sector of Disks). So, if someone know what are the features of this 2KB VIRUS, and the consequences of its activity, i'd then be able to reply to their questions. Thanks in advance for your precisions. E-mail me : excoffier@cemag-lyon.fr ------------------------------ Date: Tue, 17 Jan 95 21:06:10 -0500 From: scotts95@aol.com (ScottS95) Subject: Re: McAfee vs Central Point vs F-Prot (PC) >I currently run F-Prot, which seems to have recieved high marks in this >group. I McAfee or Central Poin worth the expense, or is F-Prot plenty >good enough. the obvious advantage for me is Central point, because I >have PC Tools as my Windows shell, and CP runs from that platform. but I >feel that 49.95 vs free is a rook. my observations are that the biggest difference, assuming you keep up on the new signatures etc. is that the major difference is which you prefer. All work. I personally have been with CPAV since 1.0 and McAfee since the earliest Shareware days (I think 0.51). The only thing is that if you load multiple AV programs, often enough the signature code of one will trip another... so watch which file names are alleged to be diseased ;) scotts95@aol.com ------------------------------ Date: Wed, 18 Jan 95 19:20:42 -0500 From: bblinn@infinet.com (Bill Blinn) Subject: "FORM" virus (PC) A customer will bring in his computer tomorrow. Central Point Anti Virus says it's infected with the FORM virus. I've looked, but not yet extensively, and have found nothing about that virus. I'll continue looking; but if you know anything about this particular virus, I'd appreciate some advice -- either here or direct to me via e-mail. Thanks! - --- Bill Blinn (bblinn@infinet.com) -- N8POV@W8CQK.#CMH.OH.US.NOAM (Ham Radio) The first rule of intelligent tinkering is to save all the parts. Speaking on, but not for, NewsRadio 610 WTVN. ------------------------------ Date: Wed, 18 Jan 95 20:29:58 -0500 From: elcentro@cyberspace.com Subject: Virus Protection Software (PC) I am the computer support person at a large non-profit organization. Our license for our virus protection software has just expired. I am in the process of comming up with alternitives for the current package we have. It is McFee's Virus protection software. I have no problem with this software except the price. I would apreciate either your recomendations, pointers to reviews, and any other aid you can give me. I have been searching for recorces on the Internet but hav'nt found that much yet. Thank you for your time. Richard E. Amerman (elcentro@cyberspace.com) ------------------------------ Date: Thu, 19 Jan 95 00:08:28 -0500 From: zapper01@technet.sg (Ho T S) Subject: GENB Queries (PC) I did a scan with the latest version of McAfee's scan and it showed tht I had a GENB virus in the boot sector or something like that. It also stated that there is no "cure" for it at present. Can anyone help by telling me how to reformat such that it goes? I tried fdisk-ing but it doesn't work. I figure a low level format would have to be done. How do I do that? Thanks ------------------------------ Date: Thu, 19 Jan 95 04:18:54 -0500 From: conic@math-appli-uco.fr (conic) Subject: Coruna 4 infection (PC) Hi, i'am trying to find any meaning to fight against Coruna4=20 virus, the more recent versions of Mac Aphee recognize the virus=20 sometimes but they are not very efficient against it (V117 SCAN,CLEAN &=20 2.1.3). Is anyone know how to destroy the Virus ? Please E-Mail if you've any informations. Thanks in advance Nicolas CONAN - ----------------------------------- Institut de Math=E9matiques Appliqu=E9es Universit=E9 Catholique de l'Ouest conic@math-appli-uco.fr http://www.math-appli-uco.fr - ----------------------------------- ------------------------------ Date: Thu, 19 Jan 95 15:49:09 +0000 From: noam@techunix.technion.ac.il (Amir Noam) Subject: Invircible software review (PC) i recently heard of a review of the invircible antivirus package, but i can't find it anywhere. i'm considering it for our network, so i'd appreciate any advice, pointers, and info about this elusive review. thanks, noam amir noam@techunix.technion.ac.il noam@laum.univ-lemans.fr please respond by email! ------------------------------ Date: Thu, 19 Jan 95 19:38:24 -0500 From: raymoon@DGS.dgsys.com (Raymond Moon) Subject: Virus questtion... (PC) [ Article crossposted from alt.msdos.programmer ] [ Author was Jason L Perron ] [ Posted on 18 Jan 1995 17:07:13 GMT ] Hello all, I am not sure if this is the best place to post this question, but here it goes anyways.... Has anybody heard of or know anything about a virus named LENART? >From what I have been told, this is a fairly new virus that might have come out around Sept/Oct. 1994. I am asking this because a friend of mine recently bought a large computer system that suddenly crashed. Upon calling in the person who sold him the system he was told the crash was due to this LENART virus. This would be fine, but the salesperson doesn't seem very honest/reliable and my friend is afraid that the salesperson made up the story about the virus to cover up the fact that he doesn't know what he is doing and is also trying to make more $$$ by fixing the system. ANYBODY know anything that could help me out? Sincerely, - --------------- Jason perron@wpi.edu ------------------------------ Date: Thu, 19 Jan 95 19:59:28 -0500 From: raymoon@DGS.dgsys.com (Raymond Moon) Subject: AntiCMOS A - Desire Info (PC) Does any one have any information on AntiCMOS A? >From McAfee tech, I was told that it reportedly attacks the CMOS of certain computers by nulling the CMOS. Implied but not known is which computers are vulnerable to attack by this virus. Anyone with experience, information would be greatly appreciated. For information, cleaning appears to be easy. For hard disks, "format \mbr". For floppies, "format \u". Thanks in advance. Ray ------------------------------ Date: Thu, 19 Jan 95 22:52:16 -0500 From: jerejian@tartarus.uwa.edu.au (Rafi Jerejian) Subject: Re: Junkie virus (PC) Whodini writes: >On 23 Dec 1994, John Davey wrote: >> Hopefully someone reads this. >> >> I've picked up the junkie virus from someware, ftp I think, getting kermit.exe. >> >> Anyway, we cant seem to get rid of it, it seems to stick to com files, clean >> gets rid of it, but after a clean boot it seems to re-appear.> >> Any comments?> > Use F-Protect to clean your Hard Drive's boot sector. It stays in >the MBR. McAfree won't clean it, and F-Prot won't clean files with it >(it just sits there and tries to clean it over and over). FInd all the >files with it, delete them, and boot on a clean system disk. Use >F-Protect to clean your boot sector, and you will be fine. (Just got rid >of it a week ago) We were infected with the junkie virus this morning and used F-protect (sept 1994 version) to disinfect files without any problem. Do you have an older version of this? - -Rich. - -- +----< jerejian@lethe.uwa.edu.au >--------------------------------------------+ "NEWSFLASH: Suicidal Twin kills brother by mistake" +--------------------------------------------< jerejian@lethe.uwa.edu.au >----+ ------------------------------ Date: Fri, 20 Jan 95 00:15:27 -0500 From: Michael Jackson Subject: Re: Stealth C virus (PC) The Mermaid writes: >I saw this virus about a week ago, and I think the McAffee scanner said >it was a strain of the Genb virus. The virus was in the boot sector of >the disk, and the only thing we knew to do was to reformat the disk. If >anyone else knows any other ways of ridding floppies of this virus, please >post. Thanx. I've run into several machines here in the local area that were infected also. I've found that F-Prot will disinfect the disks. -Mike mrjackson@delphi.com ------------------------------ Date: Fri, 20 Jan 95 04:24:14 -0500 From: "Ferenc Bajan - Centre of Informatics" Subject: BACKFORM virus (PC) I have a user, who has found the Backform virus in the file COMMAND.COM (Ms-DOS 6.20). This virus is in the stack area, no length difference on the disk. He used F- Prot 2.15 and TBAV (Scan 2.1.12 han nothing found). F-Prot could not removed the virus, TBAV seems to cleaning, but after this, COMMAND.COM's length is 5488 bytes....;-) What this virus makes, and how to remove it? - ---------------------------------------------------------------------- /_/_ /_/_/_/_/_ /_ /_ /_ Ferenc Bajan /_ /_ /_ Centre of Informatics /_ /_/_ /_/_/_/_ BDTF Szombathely /_ /_ /_ H-9700 Szombathely /_ /_ /_ Karolyi G. ter 4. /_/_/_/_/_ /_ bferi@fs2.bdtf.hu - ---------------------------------------------------------------------- ------------------------------ Date: Fri, 20 Jan 95 09:29:09 -0500 From: aureyre@grenet.fr (Jean Luc Demoisson Jean Claude Chaperon) Subject: Is "jumper" an alias for "2kb"? (PC) I'd just like to know if silly, jumper and 2kb is the same virus thank you! ------------------------------ Date: Fri, 20 Jan 95 11:40:25 -0500 From: j.s.elrick@stir.ac.uk (Ian Elrick) Subject: W-BOOT.A (PC) Hello Folks I have just discovered a user with the W-BOOT.A virus (according to F-Prot v 2.15) and have succeeded in disinfecting using the same package. I like to get info on what viruses I am dealing with though and I cannot find it anywhere. What other names does it go under???? Thanks in advance. Ian Elrick ------------------------------ Date: Fri, 20 Jan 95 14:04:08 -0500 From: chou@stamina.csd.hku.hk (Chou Sui Lin) Subject: boot sector (PC) Does anyone know how to get rid of a boot sector virus named "bootexe.451". The file setver.exe was also infected with "bootexe.452". Thanks in advance chou - -- - ----------------------------------------------------------------------- Sui Lin CHOU Email: chou@csd.hku.hk ------------------------------ Date: Fri, 20 Jan 95 18:29:41 -0500 From: "Garb, Gary [BB]" Subject: Need info re: "Wolfgang Gullich" Virus (PC) One of my users reports a suspected boot sector virus that displays "WOLFGANG GULLICH" on the screen. It is detectable with F-PROT 2.15. Does anyone recognize this virus(?) and have any info on it? Any help is much appreciated. Gary Garb Unisys Corporation "Beware of Geeks bearing GIFs" ------------------------------ Date: Sun, 15 Jan 95 03:54:29 -0500 From: dk@burka.carrier.kiev.ua (Dmitry S. Kohmanyuk) Subject: f_def482.zip - File Defender Plus: File protection driver I have uploaded to SimTel, the Coast to Coast Software Repository (tm), (available by anonymous ftp from the primary mirror site OAK.Oakland.Edu and its mirrors): ftp://oak.oakland.edu/SimTel/msdos/virus/f_def482.zip SimTel/msdos/virus/ f_def482.zip File Defender Plus: File protection driver File Defender Plus v4.82 is file-level data protection driver. It allows you to selectively protect files from modification, therefore blocking possible virus infections. File Defender Plus enhances the way DOS treats read-only attribute of files - it can only be set once, and cannot be removed. You can easily set all your executable files to read-only (use DOS ATTRIB command, for example), and they would be safely protected from viruses. If a program tries to remove the protection you will hear an audible warning sound. Environment: PC/MS-DOS 3.30+, DR-DOS 6+, Novell DOS 7 FreeWare. Author: Compact Soft Uploaded by: Dmitry S. Kohmanyuk Dmitry.Kohmanyuk@UA.net dk@burka.carrier.kiev.ua ------------------------------ Date: Wed, 18 Jan 95 04:42:29 -0500 From: aryeh@mcafee.com (McAfee Associates) Subject: McAfee VirusScan 2.1.4 uploaded to SimTel (PC) I have uploaded to SimTel, the Coast to Coast Software Repository (tm), (available by anonymous ftp from the primary mirror site OAK.Oakland.Edu and its mirrors): ftp://oak.oakland.edu/SimTel/msdos/virus/scn-214e.zip ftp://oak.oakland.edu/SimTel/msdos/virus/vsh-214e.zip ftp://oak.oakland.edu/SimTel/msdos/virus/whatsnew.214 ftp://oak.oakland.edu/SimTel/msdos/virus/wsc-214e.zip SimTel/msdos/virus/ scn-214e.zip VirusScan V2.1.4 scans/cleans viruses (V214 data) vsh-214e.zip VShield V2.1.4 antivirus TSR (V214 data) whatsnew.214 Errata for VirusScan & VShield 2.1.4 wsc-214e.zip VirusScan V2.1.4 for MS-Windows (V214 data) replaces: scn-213e.zip, vsh-213e.zip, wsc-2123.zip WHAT'S NEW Version 2.1.4 of the VirusScan series adds detection for many new viruses. A complete list can be found by running SCAN with the /VIRLIST switch (DOS, OS/2) or clicking on the "Virus Info" icon (Windows). Additionally, new or improved removers have been added for the FORM-A, Junkie, Natas, NYB, Parity Boot B, and Sampo (alias "69") viruses. Two new options have been added to the command-line versions of VirusScan, the /FREQUENCY switch and then /MEMEXCL switch: o The first, /FREQUENCY, allows VirusScan to be run only after a specified number of hours have passed. This allows network administrators to periodically run VirusScan from a network login script. o The second, /MEMEXCL, excludes a range of memory from being scanned for viruses. This can prevent conflicts with other anti-virus hardware and software. For details, please refer to the WHATSNEW.214 file. There have also been numerous bug-fixes and enhancements, which are gone over in the WHATSNEW.214 file. Please download and read this file before using VirusScan or VShield 2.1.4, even if you are an experienced McAfee user. One thing I forgot to mention in the WHATSNEW.214 file is that we've made some internal changes to VShield to make it more compatible with OS/2 DOS-VDM and WINOS2 sessions. There is no change to VShield's command line options. For Validate information, please refer to the PACKING.LST file inside each program's .ZIP file. Regards, Aryeh Goretsky Technical Support - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - McAfee Associates, Inc. | Voice (408) 988-3832 | INTERNET: aryeh@mcafee.COM 2710 Walsh Ave, Suite 200| FAX (408) 970-9727 | IP# 192.187.128.1 Santa Clara, California | BBS (408) 988-4004 | CompuServe ID: 76702,1714 95051-0963 USA | USR HST Courier DS | America Online: McAfee ------------------------------ Date: Fri, 03 Feb 95 13:19:12 -0500 From: Zvi Netiv Subject: InVircible review in Virus Bulletin - part 2/2 (PC) This is the second part of my rebuttal on the InVircible "product review" published by the Virus Bulletin, December 1994. "VB>" in the following stands for quotes from the above article, in Virus Bulletin. VB> Accuracy VB> The product detected 114 of the 248 infected test samples in the VB> Technical Details - a mere 46%. Of viruse new to the last three test-set VB> upgrades, only six samples (21%) were detected; of those new to the most VB> recent upgrade, precisely none. I store all infected test samples with VB> non-executable file extensions: when I renamed files to an executable VB> extension, another six (Durban, 1575, four of Number of the Beast) were VB> detected as infected - I could not ascertain why. I am surprised that the _scanner_ detected THAT MANY! In a well assorted virus collection IVSCAN should detect from 2% to 4% at the most. These include only the most prevalent viruses. No collection or rare viruses are included in IV's database. The 21% and 46% figures indicate Dr. Jackson used a rather poor and non-representative virus collection for his "test." VB> None of the 500 Mutation Engine-infected test samples were detected, and VB> although all nine boot sector viruses were spotted, Monkey, Italian, VB> Form and Spanish Telecom were detected only as 'generic' infections. The VB> fact that Form, which is the most prevalent in-the-wild virus, was not VB> specifically identified, hardly inspires confidence. We already stated that InVircible isn't a virus scanner. As such it cares very little about virus names and naming conventions. In most cases it will simply detect a virus, inform the user on the virus _characteristics_ and then remove it. The fact that certain viruses were detected without giving them a name _proves_ that IV's generic (i.e. non virus specific) methods are effective! Two such generic methods dismissed by the reviewer as "buzzwords" are the "on-line boot sector analyzer" and See-Through. I hope you are beginning to realize that Dr. Jackson even fails to understand the true significance of his own "test" results. Traditional scanners that use virus-specific detection and cleaning routines must correctly identify the exact virus involved. If they can't, both detection and cleaning can fail miserably. InVircible, on the other hand, uses generic methods of detection and restoration so that identifying the specific virus involved is not necessary. The MtE samples test is one of the biggest fallacies, hyped and blown to monstrous proportions by the antivirus community. Since the publication of its source code four years ago there isn't one single virus in the wild that is based on this engine! Yet this fact hasn't prevented the gurus and self-inflated pseudo-experts from runnning contests to see how many "zillions" of mutations they can create and how many scanner X, Y, or Z can detect. :-) What a sad joke. The many MIPS, gigabytes of storage space, and wasted man-hours spent on this stupid issue hasn't contributed a bit to antivirus technology. Perhaps a few ego's have been inflated and bolstered but that's it. The end-users haven't received better products from this exercise, I assure you. If the reviewer had been competent enough to properly install InVircible on his machine he would have seen for himself that InVircible can restore all the files infected with his "researchers' sample" :-) of MtE viruses, byte for byte, down to the time stamp of the original file! But as I said, MtE is no big deal. It's only conceivable purpose it to scare the uninformed reader with the fear that one can "mutate" undectable viruses that can irreparably damage their systems. InVircible can detect and repair any virus attack from an MtE virus, I assure you. If you doubt me, you can prove it to yourself with a copy of InVircible in full authorization mode. I, for one, won't be holding my breath waiting for e-mail advising me otherwise. :-) VB> The onscreen help says that the scanner 'PURPOSELY contains only a few VB> hundreds of the most widespread or dangerous viruses'. This, and the VB> manual, further justifies the abysmal performance of the scanner by VB> saying that it should not be tested against virus collections - sadly, VB> viruses are unlikely to take much notice of this plea. More hype and last famous words. VB> Integrity Checking VB> The manual states that the integrity checking software 'takes a 66 byte VB> snapshot (signature) of critical information from each executable file'. VB> InVircible affirms that it is able form this to verify the integrity of VB> each protected file and repair damage caused by viruses. However, no VB> details are provided of exactly what this signature is. This is as far as the Virus Bulletin's reviewer went in testing the prime feature of InVircible. Dr. Jackson's misplaced passion for, and conceptual dependence upon, the idea of "scanning" for viruses is probably the reason why he failed to notice that he installed InVircible improperly. Since he did fail to install it properly he couldn't even test the restoration ability of IVB (InVircible's generic integrity analyzer and file restoration program ). VB> Verification of the integrity of the same hard disk used for the scanner VB> tests takes 41 seconds under MS-DOS, and 43 seconds under Windows - VB> about two-thirds of the time taken to scan the disk. Integrity checking VB> is without a doubt the best part of InVircible. It works quickly and VB> efficiently; however, it only concentrates on the beginning and end of VB> files, where viruses are likely to act - alteration of bytes from about VB> 2000h upwards is not noticed. Plain rubbish! The reviewer obviously assumed things, "sucked from his finger" or from his poor understanding, of how to test integrity analyzers and generic recovery - the later he couldn't even test because he failed in installing the program. Testing antivirus integrity analyzers needs understanding in virus matters and some common sense. If altering bytes at random in a program is what the reviewer understands as virus doing, than whoever gave him his Ph.D. should have second thoughts. InVircible can recover from prepending as well as appending viruses. It also restores programs from split viruses (both prepending and appending), dislocated entry point viruses, and even from complex multiple infections by different viruses! Furthermore, InVircible will tell if the changes are the result of virus doing or just legitimate changes, as well as whether the program is recoverable. VB> My main complaint with integrity checking is that InVircible creates a VB> data file in each directory: it should maintain these files in its own VB> directory. The documentation claims this is a positive feature, as, if a VB> single database file is corrupted by a virus, all integrity checks are VB> lost. Once again the reviewer's self confidence that he knows better prove to be only vanity and poor judgement. InVircible's database is indeed a distributed one, but not only for the reason stated above, which is a good and valid one in itself. Here are a couple of additional ones: First, the on-line database makes its maintenance and management fully automatic. All added files are automatically secured during the daily check, directories can be renamed and moved around without loosing track of the integrity files. Secondly, the integrity signatures stay attached to the protected files. When a directory is backed up, its integrity database accompanies it, and its files can be restored wherever they are, without requiring the user to return them to the same drive and directory! This can be extremely important unders many circumstances. Unified integrity databases were implemented in certain products, and without mentioning names, I'll just state that changing just one byte (!) in that database voids the whole thing and makes it useless! If the distributed database of IV is no good in Dr. Jackson's eyes, what is his opinion about doing the same in Thunderbyte, Integrity Master and many others? I am not sure I was the first one using distributed database for this purpose, but did it as early as 1989 and am proud that it proved to be the best way to do it. VB> Disinfection VB> The integrity checker and the scanner offer several methods for removing VB> viruses from infected files. None of these are available unless the VB> software has been executed from the original floppy disk, or the VB> 'authorization key' installed from the original floppy. InVircible VB> refuses to install the authorization key unless it can write back to the VB> original floppy. This is a seriously poor idea: master disks should be VB> inviolate, and software which insists on writing back to what is the VB> only working copy should be treated with contempt. In other words, Dr. Jackson read about it in the manual, but never managed to test it, as he flopped in installing the software. His vanity surely kept him from asking how to do it properly, as already stated above. VB> The developers state that 'anti-viral programs that lack good recovery VB> features are a waste of time and money'. I disagree. Always, but always, VB> replace an infected file with a clean copy of the original. Trying to VB> mop up after a virus is always a hit and miss affair, and with many VB> viruses, impossible. Since the reviewer never tested IVB's restoration ability how can he be so arrogant? On the first day of 1995, InVircible restored 867 infected files from integrity signatures, out of more than 3000, on a file server. A dozen infected files were found with the correlator and had to be removed and replaced since they had no integrity signatures. But they were still identified as infected, thanks to the generic hyper-correlator! The restoration took less than 30 minutes and this includes the time in downing of all of the stations and restarting the network. If we had followed Dr. Jackson's advice to restore from original disks or from backups, the cleaning of the system could had taken a whole week or even more! Not to mention that the attacking virus wasn't detected by even a single scanner of half a dozen that were tried! :-) VB> Even if I could be persuaded that disinfection is a good idea, VB> InVircible does not use the technique efficiently. Take for example the VB> 66-byte entry created by the integrity checker for each file: no matter VB> what information is stored there, if a virus affects a greater number of VB> bytes, re-creation of the original will be impossible. The developers VB> will no doubt argue that viruses usually affect the start/end of a file: VB> true, but if disinfection techniques like those used in this product VB> became commonplace, virus authors would soon take account of that fact, VB> and alter their methods accordingly. The proof of the pudding is in the eating. If the reviewer wasn't such a flop in installing IV, then maybe he could have tried and seen for himself. Then he could have enjoyed speculating and imagining the wildest theories on how this could really be done. But, since he failed on such as simple task as installing the software properly, he speculates on what he has never seen. As as scientist we can say, at best, that he failed. Since he is also a technical reporter and journalist, this is simply unforgivable. Dr. Jackson's failure(s) reflect negatively on the Bulletin and its editor as well, don't they? I believe so especially since I gave Richard Ford notice of the above failures prior to publication of the review! VB> The scanner offers several methods for restoring original uninfected VB> files. These, however, only work if the scanner detects an infection: as VB> observed above, this does not happen often! Of the 114 test files VB> detected as infected, InVircible claimed to have removed the virus from VB> 81, deleted 15 and asked that the integrity checker be used to remove 15 VB> more. VB> Both COM and EXE versions of Jerusalem were marked 'restored': VB> InVircible appeared to distinguish between this action and virus VB> removal. When the Necropolis virus was active, the message 'Please refer VB> to the Manual' appeared onscreen - the manual was no help. Curiously, VB> one sample of AntiCAD caused InVircible to remove the virus, restore the VB> file, and then remove the virus again. All by itself. VB> The integrity checker's disinfection routine too was unsuccessful: no VB> other files were flagged as restored, and only six were marked as having VB> a different signature (Monxla, Butterfly, and two each of Murphy and of VB> Sibel Sheep). The six viruses missed by the scanner when not stored as VB> COM or EXE files were also not found by the disinfector, even if they VB> were COM or EXE files. I have a serious problem with the above paragraphs: is the reviewer really such a technical disaster or is he deliberately lying? VB> Next, I tried one of InVircible's special disinfection methods, VB> designated 'Inverse Piggybacking' by the product. More jargon. Hands up VB> all those not intimately concerned with virus research who know what VB> this means. This feature thought that all files it had advised should be VB> dealt with by the integrity checker were still infected. VB> The manual further advises a user to 'start with the virus loaded in VB> memory'. Yes, it is saying that I should execute an infected file. This VB> kind of advice is plain stupid - at that point I gave up trying to VB> disinfect any more files. The stupid one here is the reviewer. If he had any intellectual integrity then he should had done _exactly as instructed_ regardless of how stupid it may have seemed to him so that he could fairly try the effectiveness of the procedure! If the procedure didn't work, then he tell the world it was nonesense. But if it proved right then he should be honest enough to admit it, and try to understand how and why it worked - the explanation is in the manual. From the general tone of Dr. Jackson's review, I am obviously barking up the wrong tree in expecting this degree of intellectual honesty and integrity from him. VB> Designer Features VB> The tests performed by InVircible during the boot sequence ran into VB> trouble with my multi-choice boot selection process. I sometimes use VB> 4DOS in place of COMMAND.COM: if successive reboots swap between the VB> two, InVircible produces an error message stating 'The COMSPEC date has VB> changed, this may indicate an infection'. The fact that a different VB> command interpreter is in use has not been noticed; the product merely VB> complains that the date is incorrect. I suppose that academic education is sufficient to understand that this might be just one of a sequence of messages, and indeed it is. In his obsession to carry out the mission assigned to him, the VB reviewer relentlessly turns anything in favor of the product, to look as a flaw. For what it matters, the next message prompts the user to accept or reject the change, the next one indicates a change in size, then prompts again for confirmation, etc. :-) VB> InVircible has no memory-resident program: in its place is a program VB> designed to run protection from within batch files. These would have to VB> be created for everything requiring protection. Such programs would then VB> have to be launched from within a DOS box: many (e.g. Windows) cannot be VB> executed in this manner. This type of protection would be of little or VB> no use in such arenas. Dr. Jackson forgets to mention that there is no value in using a antivirus TSR when in DOS box, or that it may even be risky. Windows and OS/2 DOS box (or shell) are not real DOS, they are emulated DOS or VDM (virtual DOS machine). Not all interrupt are restored to their plain DOS state. Using a DOS based antivirus TSR in a DOS box or VDM risks to cause severe conflicts and can disgracefully crash all processes, as many users have surely experienced. Furthermore, the reviewer simply didn't try the general efficiency of the whole package. Just nit picking here and there! VB> Another component, the Hyper-Correlator, attempts to detect new VB> non-polymorphic viruses by comparing code at the start of each file. The VB> manual spends much time explaining what this is not, but fails to define VB> what it actually is. It's ironic that a non-academic Texan technician could put the Hyper - -Correlator to work without any assistance, and solve in a couple of days a one year's long sequence of virus sabotage, while the illustrious reviewer of the Virus Bulletin could not get anything straight, after reading the "good description of the theory behind InVircible", as he admits in his own review. VB> Features entitled 'ResQdisk' are provided to back up or restore VB> partitions, using rescue disk information where possible. These seemed VB> satisfactory, but their use is not for the faint-hearted. They are VB> powerful, and can restore a disk's partition sector from a virus-created VB> mess, but can also spell disaster if incorrectly utilized: using a VB> rescue disk created on another PC may have spectacular side-effects. This is plain malice! The documentation states over and over again not to swap rescue disks between computers. Every bozo, with or without a Ph.D. degree, knows that you should not use a Norton's or PC Tools' rescue diskette except on the one machine it has been prepared for! Over and over again, the reviewer refuses to acknowledge the more powerful and subtle methods available to users of InVircible. What would he prefer, that user's must hire his services to disinfect their system when powerful _and safe_ methods to do so are being made available to them through InVircible? VB> Conclusions VB> This is the second consecutive month I have reviewed a product with a VB> scanner which is exceedingly poor at virus detection. That the scanner VB> is the dominant feature of neither product is immaterial: if developers VB> include a scanner, it should work well. There are several very good VB> scanners available - InVircible's developers would be well-advised to VB> license one of these if they cannot keep theirs up to scratch. This is where Dr. Jackson is at his best, deceptive language! Instead of saying "That the scanner is NOT the dominant feature ... is immaterial" he is playing hit and run, "That the scanner IS the dominant feature of neither ... is immaterial". As for his advice - he can keep it for himself and stay with his scanners and his inflated sense of self-importance and (false) expertise. VB> As to the features which remove viruses from infected files: no matter VB> how well they work, infected files should be replaced with known clean VB> originals. Disinfection is inherently gambling, and I treat all VB> disinfection features with equal disdain. The 'Hyper-Correlator' is VB> incomprehensible; I suspect many users would have no idea what to do VB> with it. VB> Even with copy-protection removed, given my measured results, which were VB> well below average, I would find it difficult to recommend InVircible. VB> Indeed, whilst it is copy-protected, my conclusion is the same as last VB> month. Avoid. If Dr. Keith Jackson represents the standard stuff published in the Virus Bulletin, then it's hard to understand who would subscribe for the dubious privilege of receiving such garbage regularly for the cost of $400 a year. To perform your own antivirus software evaluation I would recommend downloading the Antivirus Practice Lab (AVPL102.ZIP) from either Compuserve, a Simtel ftp site, or any of the many other ftp sites on Internet where it is available. Learn for yourself what Dr. Jackson and his like are trying to keep away from you. You will learn how to test AV scanner software failures such as false alarm susceptibility, safety and ease of use, and even practice your preferred antivirus strategies hands on in a safe environment. AVPL is valuable in forming antivirus expertise, evaluating antivirus packages and testing your antivirus and disaster recovery strategies. My conclusion, avoid pompous publications lacking in professional etiquette and courtesy such as the Virus Bulletin. VB> Technical Details VB> Product: InVircible v5.07A. Version 6.01 was offered and made available to the Bulletin as early as October 94, but was ignored, as were all my messages. VB> Availability: Not specified. A hard disk is used to install InVircible, VB> but execution from floppy disk is possible. Many features are VB> unavailable unless execution takes place from the original floppy disk, VB> not a backup copy. After having properly installed InVircible, _all_ its features are fully available regardless wherefrom execution takes place. The above is proof that the installation wasn't performed properly. VB> Hardware used: A Toshiba 3100SX laptop computer (16MHz 386) with one VB> 3.5-inch (1.4 Mbyte) floppy disk drive, 5 MB of RAM, and a 40 MB hard VB> disk, running under MS-DOS v5.00. VB> Viruses used for testing purposes: This suite of 158 unique viruses VB> (according to the virus naming convention employed by VB), spread across VB> 247 individual virus samples, is the current standard test-set. A VB> specific test is also made against 500 viruses generated by the Mutation VB> Engine (which are particularly difficult to detect with certainty). For VB> details of the test-set, see VB February 1994 p.23. Commented by Zvi Netiv, NetZ Computing, Israel email: Zvi Netiv ftp: ftp.netcom.com/an/antivir/invircible Fax: +972 3 532 5325 ------------------------------ Date: Tue, 17 Jan 95 10:08:44 -0500 From: Jack Holleran Subject: 12th Annual ISSA Conference & Exposition Information Systems Security Association (ISSA) is pleased to announce LEARNING From EACH OTHER, the 12th Annual Conference & Exposition to be held April 2-5 1995 at Sheraton Hotel and Towers Toronto, Ontario, Canada The cost is $795 (ISSA Member), $895 (nonmember); Full Day electives $295. Canadians may pay in Canadian Dollars (same rates!) Brochure and registration form are available from: ISSA Headquarters, 4350 DiPaolo Center, Suite C, Glenview, IL, 60025 Phone: (708) 699-6441; fax (708) 699-6369; or by sending E-Mail to: ISSA @ MCS.COM The event begins with Pre-Conference Specialty Seminars on Saturday and Sunday A Welcome Reception and Vendor Exhibition opening will be held Sunday evening - an excellent opportunity for networking! Each Day then begins with Registration at 7:30 and continental breakfast and Vendor Exhibition at 8:00. April 1 - Saturday (Pre-conference Activities) Four elective Full Day Seminars to choose among April 2 - Sunday The First CISSP Examination sponsored by (ISC)2 Two elective Half Day Seminars to choose 7pm Welcome Reception and Vendor Exhibition April 3 - Monday's Highlights: Welcome and General Session will include "How to Handle Internal Investigation and Establish Successful Compliance Programs" by Terry F. Lenzner, a former member of the Board of Overseers of Harvard University with a broad range of experiences in public and private legal investigations. AM Track Choices: 10:30-noon A1: Gale Warshawsky of LLNL will explore the merits and processes of Making Computer Security Information Available Electronically B1: Charles Blauner of Bellcore will Introduce the security issues involved in the use of Distributed Systems. C1: Francis Labayen and Kimberly Clair of Andersen Consulting will discuss LAN Security issues by component, and their corresponding solutions. D1: Vendor panel: Viruses: an opportunity to see a virus contained and neutralized, as well as learn from leaders in the field how to avoid the beasties! E1: Lessons Learned: Richard Heffernan and William Haywood increase the participant's awareness of threats to intellectual property from industrial espionage. Lunch in the Exhibit Hall After Lunch Track Choices 1:30-3:00 pm A2: Rebecca Duncan of DataPro gives a blueprint for effective network security strategy. B2: Charles Blauner of Bellcore leads a discussion of OSF Distributed Computing Environment (DCE) and its security capabilities. C2: Robert Kane of Intrusion Detections describe Best Practices for Securing Novell Netware LANs. D2: Vendor Panel: PC Security Solutions, and the extent of their effectiveness. E2: Lessons Learned: Jamie Trainer examines a real world example of securing a multinational 1400 heterogeneous node network of workstations and PCs. Late PM Track Choices: 3:30-5:00 pm A3: Peter Davis' Manager's Guide to Internet Security B3: Tsvi Gal, Bank of America; discusses protecting "the network is the computer." C3: Ed Blackwell presents "Primer for PBX and Voice Mail Fraud" D3: Vendor Panel: Disaster Recovery - Business Resumption E3: Lessons Learned: L. Dain Gary, CMU SEI, Internet Security and CERTSM Late-Late Birds of a Feather and Committee meetings April 4 - Tuesday Highlights: Plenary: Crossroads, by Steven J. Green, University of Houston; application and development of computer and communications security responsibility with in the work setting. AM Track choices: 10:30-noon A4: Teresa Donatelli and Ann McHoes present a detailed discussion of Developing a Security Awareness Program B4: Will Ozier moderates a panel discussion of the activities of the ISSA GSSP committee inestablishing Generall Accepted System Security Principles. C4: John Clark, Andersen Consulting discusses risks introduced by Frame Relay technology. D4: Vendor Panel; Pros and Cons of Encryption; determining your need for it. E4: Sadie Pitcher Department of Commerce Disaster Plans. Lunch in the Exhibit Hall After Lunch Track Choices: 1:30-3:00 pm A5: Charlotte Greig, Wells Fargo Bank; How to get (management's) Attention for Information Security Awareness Part I. B5: Allan Cobb, York University; The Architecture of Audit Facility for a Distributed Application: using OSF DCE in university student application processing. C5: Douglas Conorich, RAXCO, Strengths and weaknesses of TCP/IP Network Security. D5: Vendor Panel: What a network manager should consider in Distributed Informations Systems Security Management. E5: James P. Litchko; Internet Threats and Countermeasures. Late PM Track Choices: 3:30-5:00 pm A6: How to Get Attention for Information Security Awareness - Part II B6: Gary Baker, Ernst & Young; "Distributed Computing and Client Server - An Auditor's Perspective" C6: Ed Blackwell, "Value Added Networks Security Pitfalls" Using the security features provided by VANs. D6: Vendor Panel: Discuss the security ramifications of network components (routers, bridges, etc.) E6: Fred Sanborn, Booz, Allen and Hamilton; Securing the Enterprisewide Network. Late-Late Birds of a Feather and Committee meetings 5:00-6:30 pm Special ISSA Social Event 7-9 pm April 5 - Wednesday Highlights: Annual Meeting of The Information Systems Security Association AM Track choices: 10:30-noon A7: Alex Woda, "How to Secure, Audit and Control EDI"- a practical approach. An EDI audit program will available for participants B7: Colin Rous, Cerberus, "Distributed Computing and Client/Server Security: What it means for the Security Administrator." C7: Robert Clyde, RAXCO, "Multi-Platform Enterprise Security Management" C8: Panel: Security Issues for Electronic Commerce", Loreto Remorca and David Lyons, moderators. D7: Vendor Panel: Awareness and Training; ideas and solutions you can incorporate into your program. E7: Bart Burron, Auditor General Canada, "A Top Down Computer Security Assessment for Senior Management." After Lunch Committee Meetings 1 - 3 pm April 6 - Thursday: (Elective) CISSP Preparation Course. This session will assist in preparation for the CISSP exam and explain test contents as well as the tools and methods for preparation. Make your room Reservations with the Sheraton, and tell them you will be attending the 12th Annual ISSA Conference and the rate will be $127 (plus 15%) For more information call ISSA headquarters (708) 699-6441. ------------------------------ End of VIRUS-L Digest [Volume 8 Issue 7] ****************************************