VIRUS-L Digest Wednesday, 22 Feb 1995 Volume 8 : Issue 17 Today's Topics: Corporate virus protection policy Need Virus Scanner for NT (NT) RE: AV Recommendation for DOS/Novell 3.12 Lan (PC) ANTICMOS B - "Loading Bootstrap..." (PC) Win_95 solutions (PC) Re: Form Virus - How to Find It? (PC) RE: Zipped files and detection? (PC) Generic Virus Protection Methods (PC) Re: surviving warm boot (PC) surviving warm or cold boot (PC) Re: "daboys" virus...HELP!!! (PC) Re: Help newbie, F-PROT TBAV McAfee - where? (PC) Re: McAfee on internet? (PC) Re: Conventional Configuration (PC) Re: InVircible review in Virus Bulletin - part 1 of 2 (PC) Conventional Configuration (PC) "Fake partition sector" (PC) Payloads of Natas, SVC.2936 and Leandro (PC) Stealth C Virus Information (PC) F-PROT, VIRSTOP & Windows? (PC) Re: Stealth C Virus (PC) Utilities (PC) buptboot alert for Northern Virginia (PC) Re: Infection via a .WK4 file? (PC) satanbug virus (PC) French Boot sector virus???? (PC) Re: ANTIEXE Virus (PC) Re: Recommendations for behaviour blocker? (PC) McAfee detects, but doesn't clean TridenT (PC) Peace Man, Jump4Joy, Elvir (PC) floppies going bad (PC) Circular Infection with Stoned Variant (PC) Re: New Stealth Virus?? (PC) Invircible/ "Fake partition sector" (PC) effects of stoned virus (PC) Re: New Stealth Virus?? (PC) Re: New Stealth Virus?? (PC) New version (?) of Satanbug (PC) Virus - Espejo (PC) Re: Acces control, viruses and InVircible (PC) Trying to Clean Athens-Help (PC) Re: Zipped files and detection? (PC) Natas AV (PC) Re: InVircuble reivew in Virus Bulletin VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CORSA.UCR.EDU (IP number 138.23.166.133) or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CORSA.UCR.EDU. Administrative mail (e.g., comments, suggestions, beer recipes) should be sent to me at: krvw@ASSIST.MIL. All submissions should be sent to: VIRUS-L@Lehigh.edu. Ken van Wyk ---------------------------------------------------------------------- Date: Wed, 15 Feb 95 19:23:02 -0500 From: henderso@netcom.com (Mark C. Henderson) Subject: Corporate virus protection policy My employer is looking at coming up with a virus protection policy and we're wondering if anyone else might be willing to share their policy documents, thus helping us write one. Any sample policy documents would be appreciated. Thanks in advance, Mark Henderson - -- Mark Henderson -- markh@wimsey.bc.ca, henderso@netcom.com (personal accounts) RIPEM 1.1 MD5OfPublicKey: F1F5F0C3984CBEAF3889ADAFA2437433 ViaCrypt PGP Key Fingerprint: 21 F6 AF 2B 6A 8A 0B E1 A1 2A 2A 06 4A D5 92 46 cryptography archive maintainer -- anon ftp to ftp.wimsey.bc.ca:/pub/crypto ------------------------------ Date: Fri, 17 Feb 95 10:33:24 -0500 From: Kevin Dohrmann Subject: Need Virus Scanner for NT (NT) Anyone know of a virus scanning software for NT I have been unable to loacte any so far ? ------------------------------ Date: Wed, 15 Feb 95 07:38:53 -0500 From: gcluley@sands.co.uk Subject: RE: AV Recommendation for DOS/Novell 3.12 Lan (PC) Mr Israel Kay <100112.2001@compuserve.com> wrote: >Certainly. An NLM scanner is a must for such environment. I warmly >recommend you go for one of the following: [snip!] >Dr. Solomon's AVTK NLM S&S International PLC Seeing as the majority of Virus-L's readership is in the United States, it's worth giving our American contact details for anyone interested in more information about Dr Solomon's Anti-Virus Toolkit: S&S Software International, Inc, 27660 Marguerite Parkway #C-250, Mission Viejo, CA 92692, USA Tel: 714 470 0048 Fax: 714 470 0018 Email: 72714.2252@compuserve.com At the end of this month S&S are setting up an extra new office in Boston. The new version of Dr Solomon's Anti-Virus Toolkit for NetWare also supports Novell Netware 4.x. Regards Graham - --- Graham Cluley [gcluley@sands.co.uk] Senior Technology Consultant, S&S International PLC, Alton House, Dr Solomon's Anti-Virus Toolkit Gatehouse Way, Aylesbury, Bucks, UK S&S International PLC +44 (0)1296 318700 ------------------------------ Date: Wed, 15 Feb 95 07:44:21 -0500 From: millheim@pond.com (Frank Millheim) Subject: ANTICMOS B - "Loading Bootstrap..." (PC) I have a compaq laptop with "ANTICMOS B" reported by mcafee 2.14. 214 will not remove it. I used 215beta, and it said "unable to remove ..." or something like that, then it tried what it called "generic removal method #1", and the virus now appears to be gone. But now when the machine boots up, right before DOS6 says "Loading MS-DOS..." a line appears that says "Loading Bootstrap..." but the machine seems clean. Anyone know what this is? A virus? Something from Compaq's ROM that doesn't normally show? ================================================ "Millhouse, we live in the age of cooties" - Bart Simpson ------------------------------ Date: Wed, 15 Feb 95 08:33:57 -0500 From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) Subject: Win_95 solutions (PC) Dylan J. Greene (dylan@glue.umd.edu) rote: > The current Win95 beta warns in the readme not to use Norton > Antivirus. The readme also says that virus protection > programs can detect, but not clean, viruses in 95 > because virus protection programs use low level writes > that will damage 95's long file names. What should Win95 > users do until 32-bit antivirus programs are available? Well haven't done much testing with Win_95 (it may not be fast but *boy* is it slow) however DiskSecure seems to work just fine as far as the startup/ detect/repair is concerned. Since this element works entirely before the OS loads and while the PC is still in REAL mode, 32bit has no effect on it. Of course this only affects MBR and BSI viruses but the figures I am seeing (have no way to judge myself) are in the range of 70-80% of infections. Warmly, Padgett ps v 2.42 is still current - have seen no reason to update the internals. ------------------------------ Date: Wed, 15 Feb 95 08:48:22 -0500 From: gcluley@sands.co.uk Subject: Re: Form Virus - How to Find It? (PC) Tim Hetherington writes about the Form virus: >Hope this has been useful to you. Somewhere lurking on my hard drive I >have a copy of an article by Graham Cluely of Dr. Solomans which give a >good discription abut the said virus and ways to clear it and aviod >re-infection I will dig it out for you if you would like a copy. Just >drop me an e mail and I'll send it. In fact, seeing as I cobbled it together I'll be happy to send ANTIFORM.TXT to anyone who is interested or has experienced problems with the Form virus. (Surely this is one for the updated FAQ?). Just email me at the address below and I'll send a copy of the article to you. Regards Graham - --- Graham Cluley [gcluley@sands.co.uk] Senior Technology Consultant, S&S International PLC, Alton House, Dr Solomon's Anti-Virus Toolkit Gatehouse Way, Aylesbury, Bucks, UK S&S International PLC +44 (0)1296 318700 ------------------------------ Date: Wed, 15 Feb 95 09:31:23 -0500 From: gcluley@sands.co.uk Subject: RE: Zipped files and detection? (PC) Talk To Me writes: >Can viruses be detected in zipped files scanned by a McAfee or >MS-doctor scanner? I'm not sure if you're referring to the product I represent when you say "MS-doctor". If you mean Microsoft Anti-Virus then the answer is no, it can't scan inside ZIP files. I believe McAfee can be forced to scan inside ZIP files but only by using a third-party shell programs (which unzips the files to a hard disk directory first, then scans the directory). The new release of Dr Solomon's Anti-Virus Toolkit (v7.0) can scan recursively inside ZIP, ARJ, ZIP2EXE, PKLite, LZExe compressed files and detect viruses contained within. It can even scan PKLite "unextractable" files. We'll be adding more compression and archiving formats in the coming months. Eugene Kasperky's AVP program from Russia can also scan inside archived and compressed files. Regards Graham - --- Graham Cluley [gcluley@sands.co.uk] Senior Technology Consultant, S&S International PLC, Alton House, Dr Solomon's Anti-Virus Toolkit Gatehouse Way, Aylesbury, Bucks, UK S&S International PLC +44 (0)1296 318700 ------------------------------ Date: Wed, 15 Feb 95 10:19:55 -0500 From: "Jamon E. Bailey" Subject: Generic Virus Protection Methods (PC) A few months ago my computer was attacked by a virus that could not be detected by either of two respectable scanning programs (Mcafee Scan and F-Prot). Although I am confident that I rid my computer of the virus, I am interested in adding generic virus protection to my computer in order to prevent future infections by unknown viruses. Two products I am considering are Inviricible and EMD Armor Plus, an anti-virus hardware card. I would like to hear about some experiences people have had with these and any other generic virus protection products. Also, I do programming, so information about compiler related (and other) false alarms would be appreciated. Jamon Bailey ------------------------------ Date: Wed, 15 Feb 95 10:57:57 -0500 From: Paul Walmsley Subject: Re: surviving warm boot (PC) > : At least one virus, Exebug, can pervert the cold boot process. > : It does not mess with the execution path you outline, but it > : doesn't need to. It tricks the system into booting from the hard > : disk even with a floppy in the A: drive. > > I'd like to see a virus that can withstand a power down. I' am not > that shure about a reset since windows can go back from protected mode > to real mode on a 286 using a software reset and some signaling value > in CMOS RAM (or was it in BIOS data area?). But a "normal" warm boot > resident virus can easily be detected by not showing BIOS Post > messages and EMM386 com- plaining about the cpu already being in V86 > mode. > Ingo Warnke > While it's true that no virus can survive a boot (warm or cold) some of them can fake a warm boot (i.e. restart the system without getting them- selfs wiped out). If i remember rightly, exebug modifys the CMOS to make sure the system boots of the harddisk and then when it's loaded check's to see if there's a disk in drive a: and boot's the system from that or from the harddisk if there's no floppy. If you know your boot sequence well you should be able to spot this, but i'm sure quite a lot of people won't and think they've booted of a clean floppy. Paul ------------------------------ Date: Wed, 15 Feb 95 12:28:00 -0500 From: "A.Appleyard" Subject: surviving warm or cold boot (PC) Iolo Davidson wrote:- > Have a look at Exebug then. It can spoof a cold power-off boot with a floppy > in the A: drive to cause the system to boot from the hard disk MBR, then > carry on and boot the system from the floppy, after the virus is in memory > and in control. Then, if a PC is infected with Exebug, how to genuinely clean boot it from a clean floppy? > THO STIFF IT SHAVES THE BEARD LIKE DOWN WITH THAT NATURE GAVE Burma Shave What is Burma Shave? ------------------------------ Date: Wed, 15 Feb 95 12:54:41 -0500 From: psychman@ripco.com (Psychman) Subject: Re: "daboys" virus...HELP!!! (PC) ruben@ralp.satlink.net (Ruben Arias) wrote: : mikemccu@ix.netcom.com (David Michael McCutcheon) writes: : >All, : >Has anyone heard of a virus called "daboys"? I know that it is a boot : >sector virus, and my IBM AntiVirus v2.0B detects it. : See The info! : >However, I'm having difficulty cleaning the hard disk. (And, YES, I've : tried booting >from a virus-free diskette.) : Ok, EVER boot from a "Clean_Bootable_WriteProtected" Diskette". : :-) : - ----------------------------------------------------------------------------- : DA'BOYS VIRUS : ------------- : Virus Name: DA'BOYS : Aliases: DALLAS COWBOYS : V Status: New, Research : Discovery: January, 1994 : Symptoms: Possible diskette access problems; BSC; Infected disks fail to : boot on 8088 or 8086 processors; No COM4. : Origin: USA : Eff Length: 251 Bytes : Type Code: BORaX - Resident Overwriting Boot Sector and Master Boot Sector : Infector : Detection Method: None : Removal Instructions: DOS SYS : General Comments: : The DA'BOYS virus will only work with DOS 5 or DOS 6+ with an 80186 or : better processor. Unlike other boot sector infectors, the DA'BOYS : virus overwrites or rewrites the DOS boot sector. It does not make a : copy or move the boot sector to another sector. It will infect all : American DOS 5 or DOS 6 boot sectors. It will infect disks in drive : A: or B: It works with 360K, 720K, 1.2M, 1.44M or 2.88M disks. If this is true. It should be easy to remove the virus with fdisk /mbr. ------------------------------ Date: Wed, 15 Feb 95 13:28:56 -0500 From: r1510002@cc.ntu.edu.tw (Cho Chen-Yu) Subject: Re: Help newbie, F-PROT TBAV McAfee - where? (PC) : If anybody can advise me where to find for down-loadinng : F-PROT, TBAV, McAfee's Scan The latest version of F-PROT is fp-216.zip TBAV is TBAV632/TBAVX632/TBAVW632.zip McAfee is scn-214e/vsh-214e.zip You can use ARCHIE to find a FTP Site near to you, otherwise try csuvax1.murdoch.edu.au (134.115.4.1) Location: /pub/pc/dos/virus ...... - -- Cho Chen-Yu %% Master Program Student %% Urban Planning Technician Graduate Institute of Building and Planning % National Taiwan University Taipei, Taiwan, Republic of China E-Mail : r1510002@cc.ntu.edu.tw ------------------------------ Date: Wed, 15 Feb 95 15:14:50 -0500 From: mphill@pavilion.co.uk (mphill) Subject: Re: McAfee on internet? (PC) says: >Anyone know if McAfee are reachable over internet? >Or any ftp site that provides the latest version of >their scanner? Quote from VirusScan doc. The latest versions of McAfee's antivirus software are available by anonymous ftp over the internet from the site mcafee.com also...at...oak.oakland.edu in the simtel/msdos/virus directory and its associated mirror sites: wuarchive.wustl.edu......(us) ftp.switch.ch......(switzerland) ftp.funet.fi...(finland) src.doc.ic.ac.....(uk) archie.au....(australia) Question etc to support@mcafee.com ------------------------------ Date: Wed, 15 Feb 95 15:18:18 -0500 From: miseurope@delphi.com Subject: Re: Conventional Configuration (PC) Ian Guthrie writes: >Is there a way to reduce the number of bytes of conventional memory f-prot >use without using the /disk option? F-prot uses 33k of conventional memory Ian You could change to a product called EMD Armor PLUS its uses NO conventional memory as its hardware/software based, its excellent. Needs NO updates and detects known and future viruses. You can call EMD Enterprises in the US on 410-583-1575 and ask for Enrico DePaolis. Good Luck ------------------------------ Date: Wed, 15 Feb 95 15:38:04 -0500 From: emd@access3.digex.net (EMD Enterprises) Subject: Re: InVircible review in Virus Bulletin - part 1 of 2 (PC) Frans Veldman (Veldman@esass.iaf.nl) wrote: : emd@access3.digex.net (EMD Enterprises) writes: EMD>> Subject: Re: InVircible review in Virus Bulletin - part 1 of 2 (PC) EMD>> EMD>> VIRUS BULLETIN IS OWNED BY THE SAME INDIVIDUAL(S) WHO OWN SOPHOS, EMD>> A U.K. COMPANY WHICH SELLS SWEEP, A SCANNER BASED ANTI-VIRUS PRODUCT EMD>> marketed primarily to Corporate Buyers in the U.K. In fact, the two EMD>> companies (Sophos and Virus Bulletin) have the same street address. EMD>> This immediately suggests a serious conflict of interest. It is all the FV> Yep. So far so good. It *SUGGESTS* a conflict of interest. But no more FV> than that. Now let's try to find some evidence whether this suggestion FV> is true. When I take a look at the comparising reviuews, you might be FV> surprised that Sophos never 'won the test'. The leading anti-virus FV> products are somehow stable: F-Prot, AVP, Solomon toolkit and TBAV (in FV> random order). While Sophos may not have been top rated in the past reviews, it almost always finished near the top. Indeed, there would be a blatant credibility problem if Sweep ever got the highest rating. I don't believe even other scanner based product manufacturers like Mr. Veldman would rise up to defend Virus Bulletin so gallantly if that happened! But that is not the point. There is a credibility problem with Virus Bulletin that people in the anti-virus community need to be aware of. What would you feel if Microsoft started a magazine and began reviewing its own products as well as competing products? Would you ever believe those reviews no matter how loudly Microsoft proclaimed the objectivity of the magazine? EMD>> more galling since Virus Bulletin proclaims itself to be an unbiased EMD>> publication, and proudly states that it does not carry any EMD>> advertisement to ensure editorial objectivity! (Readers of the NCSA FV> True. And I think that's great. EMD>> Our anti-virus product, EMD Armor Plus, was reviewed by PC Plus EMD>> magazine in their December, 1994 issue. It received a score of 5 EMD>> out of 5 stars and was given the PC-Plus Recommended status. Earlier FV> Doesn't mean a thing. EVERY anti-virus product I know got editor awards FV> or the number one rate in various magazines. The winner of the test FV> depends on many things, and Anti-Virus expertise plays usually a small FV> role in it. I agree, to a large extent it depends on how the test parameters are setup. FV> More interesting is what the Anti-Virus experts say about your product. FV> And unfortunately, this may contradict... No problem here, but don't you think that for the sake of fairness these experts should not be employed by, or associated in any way with any anti-virus product manufacturer? In any case, I would give more attention to the feedback I receive from the average user, rather than the opinionated self-proclaimed "expert". EMD>> is) the Technical Editor of Virus Bulletin. It seems that the magazine EMD>> reserves its contempt and ridicule for smaller companies which dare to EMD>> take a different approach to the virus problem and thus create a EMD>> potential challenge to the monopoly of scanner based solution EMD>> providers. FV> The real problem are the users. All they want is scanners. So the FV> reviewers keep on reviewing scanners. Users want scanners because they have been led to believe that they must have the latest virus signature for effective virus protection. This sustained PR campaign from scanner based product manufacturers have worked very well in convincing users that they must periodically purchase updates to keep up their defenses. We hope to change all that though. I invite you to visit us in CeBIT in Hanover, Germany, March 8-15 for a demonstration of EMD Armor Plus. We will be at Hall 18/OG, Booth A33. You can also attend my presentation on March 14 at 2:00 PM for more information on this new generation of anti-virus products. Enrico DePaolis President EMD Enterprises Phone: (410) 583-1575 606 Baltimore Avenue FAX: (410) 583-1537 Suite 205 CompuServe: 70473,3260 Towson, MD 21204-4053 Internet: emd@access.digex.net Fax-back: (410) 583-1575 ext. 4 (select document 1015 for EMD Armor Plus) ------------------------------ Date: Wed, 15 Feb 95 19:07:15 -0500 From: Mr Israel Kay <100112.2001@compuserve.com> Subject: Conventional Configuration (PC) Ian Guthrie writes: > Is there a way to reduce the number of bytes of conventional memory f-prot > use without using the /disk option? F-prot uses 33k of conventional memory > but when we used the /disk option the machine freezes. If there is solution > please let me know. Thanks, The AUTOEXEC.BAT and CONFIG.SYS files contain a number of device drivers and TSR's. There is obviously a conflict between these and your current setup of VIRSTOP. In the first instance I suggest you try placing VIRSTOP at the bottom of your AUTOEXEC. If this does not solve it, you may have a conflict with one of VIRSTOP's features. In such case it is a process of elimination to see which is the offending one. If this fails, I suggest that you e-mail me a copy of your AUTOEXEC and CONFIG files for analysis. Should you wish to reduce the overhead on conventional memory you can load VIRSTOP into high memory. Regards, Israel A COMPUTER IS THE SIMPLEST OF ALL CREATURES. IT UNDERSTANDS ONLY ONE THING, ON AND OFF, YES AND NO, 1 AND 0. ********************************************************************* * I S R A E L K A Y * * IT Security Consultancy, London Office, * * 137 Wargrave Avenue, London, N15 6TX. UK. * * Tel: +44 181 800 7278 Fax: +44 181 802 9880 * * CIS: 100112,2001 Internet: 100112,2001@compuserve.com CIX: ik * ********************************************************************* ------------------------------ Date: Wed, 15 Feb 95 20:58:35 -0500 From: Zvi Netiv Subject: "Fake partition sector" (PC) > From: hzf30@mfg.amdahl.com (Curly) > I became very curious about this Invircible product and decided to give > part of it a try. Having heard some peculiarities about its behaviour I > did choose not to dive into a full install just yet. Instead, I loaded > the IVTEST program into my autoexec.bat and my park.bat routines. > What I've found is that it occasionally pauses and reports that I have a > "faked boot sector" or something to that effect. Running it again > immediately afterwards does not duplicate this report. Instead, it says > everything is cool. Am I supposed to trust this thing that can't make > up its mind regarding my boot sector? The claims made by the promoters > of the product led me to believe that it wouldn't be prone to such > inconsistant behaviour. A "faked partition" message from IVTEST means one of the following: either you are using one of the new large capacity IDE drives that requires the use of a special Ontrack dynamic boot loader. This driver uses stealth, or you have a genuine stealth mbr infector. IVINIT won't report boot stealth even in the presence of the Ontrack driver, but you installed IVTEST instead. Yet since you mentioned this, it seems that I'll have to take into account the smart guys too, so it was now fixed in IVTEST, for the next release. :-) The other possibility is of a genuine stealth mbr infector. Usually it comes coupled with other indications. Memory stealing for one thing. If you did read the documentation then you would usually want to go for a visual inspection of the boot areas with ResQdisk. > The portion of Invircible that I tried did not seem to require any > special installation to work properly but it sure didn't appear to be > very confidence building from what I've experianced. This is just an > average user's opinion. For now, I don't see any reason to change from > my regular use of F-Prot/Virstop. At least they consistantly say my > boot sector is okay, and not occasionally "faked". Unfortunately Virstop doesn't always report when a stealthy mbr infector is present. I just tried Virstop 2.16 with Monkey active on my hard drive. You are right, it doesn't complain about anything. Zvi Netiv, NetZ Computing ------------------------------ Date: Wed, 15 Feb 95 22:00:30 -0500 From: "Fabio Esquivel (Iron Maiden's fan)" Subject: Payloads of Natas, SVC.2936 and Leandro (PC) Since August 1992 I've been reporting to this forum the presence of these viruses in several computers at work and friends' (well,=20 in fact, just Natas and SVC.2936). However, I haven't been able to find any source of information that clearly states what are the payloads of these viruses. I found Leandro yesterday, examined the infected disk and found it to be a simple boot sector infector that stores the real disk BS into a cluster marked as bad by Leandro itself, but I don't know what its payload (if any) is... Fridrik? Vesselin? John McAfee? Thanks in advance for your answers... \___/=20 (O o) - ----------------------------------oOo-U-oOo--------------------------------= - -- Fabio Esquivel - University of Costa Rica | C:\GAMES>a:install fesquive@cariari.ucr.ac.cr (163.178.101.5) | Blood_Drinker virus found! fesquive@bribri.ci.ucr.ac.cr (163.178.101.8) | Apply, Kill, Panic? _ =09=09=09 "Up the Irons!" - 8=AC) - ---------------------------------------------------------------------------= - --- __|||__ (__/^\__) ------------------------------ Date: Wed, 15 Feb 95 22:29:54 -0500 From: FIELDS@ix.netcom.com (Mark Fields) Subject: Stealth C Virus Information (PC) I would like to ask that if anyone knows anything more than the basics of how to eliminate the Stealth C Virus, that they would please post this information or write to me with this information. Information of interest would be what exactly this virus does(other than consume memory space), where it originated from, why it will not affect certian systems, etc.... Thank You, Mark Fields@ix.netcom.com ------------------------------ Date: Wed, 15 Feb 95 22:46:34 -0500 From: ebottoni@cat.cce.usp.br (Eduardo Benedicto Ottoni) Subject: F-PROT, VIRSTOP & Windows? (PC) I've just started using F-Prot's VIRSTOP as a TSR antivirus. Unlike VSHIELD, it has no Windows shell to communicate with Windows users. In fact, there are few mentions at all to Windows in F-Prot's documentation. My question is: can I be sure that I'll get VIRSTOP messages while in Windows (i.e., always)? Thanks in advance! Eduardo B. Ottoni ------------------------------ Date: Thu, 16 Feb 95 00:56:14 -0500 From: tim@ins.infonet.net (Tim Nemec) Subject: Re: Stealth C Virus (PC) I traced the Stealth C virus to a floppy I was given with a GIF graphic on it. The floppy was not bootable but I accidently rebooted my machine with the floppy in the A: drive and believe this led to the initial infection. ------------------------------ Date: 16 Feb 95 00:30:49 -0700 From: naoh@yvax.byu.edu Subject: Utilities (PC) I was wondering if anyone knows of a program that will do the following: - Write a generic boot sector to a floppy disk - Scan for bad sectors, and rewrite them with null characters, and then mark them as good - Decompile machine language from a sector on a disk. The reason is that there are some viruses that the virus cleaner programs don't work on yet, but are simple boot sector viruses. (The FDisk command doesn't work on floppies!) Thanks! ------------------------------ Date: Thu, 16 Feb 95 03:04:37 -0500 From: SALIX Technologies - Dan Simpkins Subject: buptboot alert for Northern Virginia (PC) Buptboot Virus Alert for Northern Virginia February 15, 1995 On the morning of February 13, an employee of SALIX Technologies, Inc. powered up his machine, and upon trying to run Windows, got the following message: ========= The Microsoft Windows 32-bit disk driver (WDCTRL) cannot be loaded. There is unrecognizable disk software installed on this computer. The address that MS-DOS uses to communicate with the hard disk has been changed. Some software, such as disk-caching software, changes this address. If you aren't running such software, you should run a virus-detection program to make sure there is no virus on your computer. To continue startiing Windows without using the 32-bit disk driver, press any key. ========= Upon doing a memory check, I found that the amount of conventional memory available was 638K instead of 640K. Booting from a clean system diskette resulted in a correct reading of 640K. This seemed to suggest that there was a boot sector virus residing on this machine. I booted from a clean write-protected diskette, and ran F-Prot 2.16 from the diskette. F-Prot discovered the Buptboot virus on the MBR. Using the debug.exe program (also from the diskette), we found the virus residing in memory from 9000:F800 to 9000:FFFF. The message "Welcome to BUPT 9146 Beijing!" was found at 9000:FBBB. Running the FDISK /MBR from F-Prot seems to have disinfected the hard disk and eliminated the virus. Another machine in the office was found to have the same problem, although the memory was shown to have 637K available. The extra missing 1K was probably used by the BIOS. This difference caused the virus to show up in memory from 9000:F000 to 9000:F800, and the virus message to appear at 9000:F7BB. This machine was disinfected in the same manner. This virus has demonstrated the ability to infect floppies with ease, and indeed, several floppies were found to also contain the boot sector virus. We suspect that this virus might have been brought into our office by a student of Thomas Jefferson High School for Science and Technology (Alexandria, VA) who works here as an intern. We found the same virus on his computer at home, and his father's computer at home. It is quite possible that this virus now exists on machines at the school, and the home computers of any students attending this school. The possibility for spread of this virus is scary. We found this virus only because we tried to do a 32-bit disk access and were alerted to a problem. I believe we found the virus before it had a chance to do whatever it is that this virus does. However, anyone who is not using 32-bit disk access might not be so lucky. We are fairly certain that is has been in the area for at least three weeks, and should be assumed to be dangerous until proven otherwise. Scott Gurst SALIX Technologies, Inc. salix@clark.net ------------------------------ Date: Thu, 16 Feb 95 04:07:06 -0500 From: bpb@stimpy.us.itd.umich.edu (Bruce Burrell) Subject: Re: Infection via a .WK4 file? (PC) Gus Perger (regrep@iinet.com.au) wrote: : Infection through 'Mouse Device Driver' floppies. : We bought a batch of new MITSUMI serial mouse, model: ECM-S31Type, : in sealed boxes. When we virus checked with McAfee v. 2.1.0 the mouse : device driver (version 7.21) disks supplied with the mouse we got this: : FROM_A infected, 'No remover currently available'. : How can we clean the 'FORM_A' virus off these disks? : Thanks for help. 1) Call McAfee's Tech Support. (408) 788-3832 or support@mcafee.com. (If you're using it, you *are* registered, right?) or 2) I'd expect McAfee to be able to handle this; perhaps you have a variant. In any event, consider an alternative scanner. AVP, Dr. Solomon's AntiVirus Toolkit, F-PROT, and TBAV do usually better in reputable (imo) tests than does McAfee or 3) Remove the infection with SYS A: if you have enough room on the diskettes for the system files or 4) Make a subdirectory on your hard drive, copy all the files from the floppy, format the floppy (I suggest that you use the /U parameter both to get more space and to kill all vestiges of the virus), then copy the files back to the floppy. Both 3) and 4) assume that Form is not active in memory. To be sure, boot from a known-to-be-uninfected diskette first. -BPB ------------------------------ Date: Thu, 16 Feb 95 14:31:36 -0500 From: C.M.BOYLAN@liverpool-john-moores.ac.uk (WINDOW_CLEANER) Subject: satanbug virus (PC) Hi there! My machine caught a severe case of SatanBug, and it wiped off everything in sight 8( Does anybody have any information on this virus? Like, how it works etc? Clare Boylan Liverpool JMU ------------------------------ Date: Thu, 16 Feb 95 14:33:03 -0500 From: shrall@en.ecn.purdue.edu (Jerry Shrall) Subject: French Boot sector virus???? (PC) I have an old version of f-prot running on my pc, and it encountered a 'french boot sector' virus, which it did not know how to correct. Can anybody point me to a utility that would correct this? Also, I have simply been testing out this f-prot (borrowed copy), and I like it a lot. I wanted to buy some version of virus checker, but I really don't know which ones are good, and where to get them (f-prot would be fine). Also, with a licensed copy, how do the upgrades work?? When a new version comes out, is it pretty simple get it (i.e., minimal cost, hassle)? Please email any replies... thanks jerry shrall ------------------------------ Date: Thu, 16 Feb 95 14:36:16 -0500 From: sbringer@netcom.com (Mike) Subject: Re: ANTIEXE Virus (PC) MR HENRI J DELGER (XWWC29A@prodigy.com) wrote: : AntiExe is a stealth virus, blocking attempts to write to the first sector : of disks if in memory, thus preventing its code from being overwritten. It : also is a dangerous virus: if the user hits Ctrl + Break while the virus is : in RAM, attempting to access a disk, AntiExe will start overwriting disk sectors. actually, I failed to find the CTRL-BREAK code in the virus.... I did find that it scans the first 8 or so bytes of any sector read/written to for a specific exe header, trashing the 9th byte if found. Cheers, Mike ------------------------------ Date: Thu, 16 Feb 95 14:32:44 -0500 From: iandoug@cybernet.za (Ian Douglas) Subject: Re: Recommendations for behaviour blocker? (PC) Michael Jackson (mrjackson@delphi.com) wrote: > Yves Bellefeuille writes: > > >I'd like to get recommendations for a behaviour blocker (generic monitor) > >for a PC. It can be commercial or non-commercial, or even a discontinued > >product. If responses warrant, I'll post a summary. > > > If I understand what your asking for, you might want to take a > look at the TSR's in ThunderByte AV. I've found them pretty good at > behaviour monitoring/blocking.....so far at least. The TBAV mem-res utilities are good, but some viruses infect without triggering them at all. Behaviour blockers are tricky to implementin a way that stops viruses but not normal operations. You win some, you lose some :-) Cheers, Ian - -- - ----------------------------------------------------------------------------- Ian Douglas Lead, Follow, 35 InterNet: iandoug@cybernet.za P.O. Box 484 or get out of 1,73 FidoNet: 5:7102/119 7532 Sanlamhof the way. 57 TopNet: 225:2048/1 South Africa (Ted Turner, CNN) XNTX PGP key available. - ----------------------------------------------------------------------------- ------------------------------ Date: Fri, 17 Feb 95 00:45:28 +0000 From: dbarber@crash.cts.com (David C. Barber) Subject: McAfee detects, but doesn't clean TridenT (PC) My McAfee V117 detected TridenT this afternoon (*after* the machine screwed up ), but CLEAN C: [TridenT] doesn't see any viruses. Since this is my first experience trying to do this, can someone tell me what I may be doing wrong? Thanks! Without Faith *David Barber* nothing else has value dbarber@cts.com ------------------------------ Date: Thu, 16 Feb 95 20:29:02 -0500 From: "D. P. Wijesinghe" Subject: Peace Man, Jump4Joy, Elvir (PC) Recently, while evaluating the new McAfee VirusScan I was informed by the program that traces of Peace Man were found in the memory of my IBM clone & advised re-booting with a clean boot disk. I did so with a disk prepared for just such situations but after a running VirusScan again was informed that traces of Jump4Joy were found in memory. I rebooted with another supposedly 'clean' boot disk and this time was informed that traces of Elvir were found in memory. Now, what I would like to know is exactly what do these viruses do? Can I afford to ignore the warning (after all, it did say 'traces') or is my machine in imminent danger of total chaos? I guess I should get a friend to give me a 'guaranteed' clean boot disk and boot off that and re-try VirusScan - but what if I just keep getting these or similar messages? Is it remotely possible that these virus warnings are spurious? (Hope springs eternal etc...!) Any advice, suggestions, comments would be most welcome. Priyantha Wijesinghe ------------------------------ Date: Thu, 16 Feb 95 20:54:51 -0500 From: lear@utkvx.utcc.utk.edu Subject: floppies going bad (PC) During the past couple of years I have noticed that several of my floppies (2HD) have become unreadable. I also noticed that many of these cannot be reformatted either. I get the message that the first sectors are damaged and disk cannot be revived (when I try using Norton Disk Doctor). I suspect that this may be a hardware problem--that the disk drive may be doing something to some of the disks, but maybe this could be a virus. I just don't know. I have experienced no problems with my hard disk. Norton AV and Search and Destroy turn up nothing. And since the problem has been around, intermittently, for the past couple of years, it cannot be a new virus. What do you think? Misaligned disk drive? I'd appreciate any help you may have to offer. R Kelly ------------------------------ Date: Thu, 16 Feb 95 21:21:18 -0500 From: jboy@halcyon.com (Johnny Boy) Subject: Circular Infection with Stoned Variant (PC) I've recently found an instance of a Stoned variant infecting both MBRs of a dual drive PC. F-Prot Pro 2.16 was able to disinfect the C: drive, but did not attempt to disinfect the D: drive (though it did find the virus). The helpful folks at Command SW (who I hereby thank) were able to reconstruct a boot record for the D: drive from the disinfected C: drive's MBR, but I am still curious as to the workings of a circular infection. These questions remain in my mind: If a second drive is not the boot drive, how does it's MBR get infected? In the case of a virus like Stoned which encrypts the MBR and hides it (please correct me if I'm mistaken here), how would hiding the second drive's MBR affect things? When using F-Prot Pro's fixdisk on install (which, as I understand it, makes a copy of the clean MBR and hides it for later recall when needed) would this utility create such copies for both drives? Thanks for any info on these items. - -- "Generic platitude #247" That's Johnny Boy to you jboy@halcyon.com ------------------------------ Date: Thu, 16 Feb 95 22:26:39 -0500 From: arubin@alumni.caltech.edu (Arthur L. Rubin) Subject: Re: New Stealth Virus?? (PC) Kamil Bukala writes: > I think I might have a virus, due to the following reasons: [reasons skipped] A file called "NUL" cannot be read under DOS unless the NUL handler is removed (or corrupted). The same applies to your backup program...if it uses standard DOS calls, I believe. I suspect your backup program is either badly written, corrupted, or infected with a viros that knows it is a backup program. >Please reply (if possible) to ac529@cfn.cs.dal.ca (Kamil Bukala).. - -- Arthur L. Rubin, PO Box 9245, Brea, CA 92622 (USA) arubin@alumni.caltech.edu 216-5888@mcimail.com 70707.453@compuserve.com Computer expert with 24 years programming experience looking for gainful employment. ------------------------------ Date: Fri, 17 Feb 95 01:41:30 -0500 From: hzf30@mfg.amdahl.com (Curly) Subject: Invircible/ "Fake partition sector" (PC) After my last post concerning what appeared to be inconsistent behaviour on the part of Invircible's IVTEST module, Zvi Netiv took the initiative and immediately followed up with me to resolve the problem. Previously, I posted that IVTEST had made inconsistent reports that my boot sector was "faked". After a couple of correspondences, Zvi was able to determine that it was a known hardware incompatibility problem which he had already come across. He explained the following: InVircible uses some drastic methods -- yet nothing that isn't in the book -- to dig elusive viruses out. In doing so IV exercises the dark corners of the bios and DOS. Unfortunately, some hardware producers sometimes take shortcuts and do not qualify their designs to the full required envelope. IV has spotted a couple of design bugs in hardware which according to Zvi includes the particular hard drive model in use on my system. From the manifestation of the problem, Zvi is quite sure that the root cause of the problem is the hard drive electronics. The hard drive manufacturer has been notified of the problem and has acknowledged it's their design. Zvi indicated that basically, the designers of my drive assumed that since a certain bios function is rarely used, then they could assign the function to an internal and totally different use. So, when a program (such as IVTEST) invokes the function (it's just a read command, but with special attributes), then the drive would behave very strangely, just as I had experienced. As a closing note, I found that the IVINIT module of Invircible performed without a hitch when used from within my AUTOEXEC.BAT file as recommended in the IV documentation. Regards, Curly ------------------------------ Date: Fri, 17 Feb 95 02:35:38 -0500 From: nudij@aol.com (Nudi J) Subject: effects of stoned virus (PC) I am trying to put together a computer lab where i teach and have been ressurrecting a lot of 286's. One I discovered has a stoned virus, I cleaned it but both the floppy drives now respond that the disks are write protected when they are not. Is this the result of the virus? If so can I repair the damage? Is this an INT problem? Also I am finding ANTICMOS on a large number of computers at my evening school. Thank you for the information on how to clean it. J. Kaurloto ------------------------------ Date: Fri, 17 Feb 95 02:54:28 -0500 From: Mikko Hypponen Subject: Re: New Stealth Virus?? (PC) Kamil Bukala (ac529@cfn.cs.dal.ca) wrote: > I think I might have a virus I'll bet your system isn't infected at all. > When I tried to erase the file, I could not get rid of it > (del, rm, norton, etc.), and when I tried to read it with a > regular(reads files through DOS) hex editor, the file was given a > zero length (even though the length on the HD is 982 bytes.. The 'nul' file is a standard feature of the DOS operating system; it's not a real file at all, but a pointer to the system device 'nul', just like 'com1', 'prn' or 'con'. Because of the way DOS works, this file seems to be present in every directory. You can't read it or write to it, and it's size seems to be random. > The file only has the archive attribute.. This is correct and normal. > F-prot seems to think I have a stealth virus in memory > when I scan that file in Heuristic mode (even though I booted > from a clean diskette).. This is not normal, and indicates that for some reason, a *real* file called 'nul' has somehow been created. This causes some problems, since you can only see the file, but can't access it in any way. You would probably need to run some sort of disk editor program, locate the physical 'nul' file you have and manually edit it's name to be something else. Alternatively, you can boot your machine with a floppy that has some other OS capable of reading FAT drives (Linux?) and delete the file from there. Running Norton Disk Doctor or MS-DOS SCANDISK/CHKDSK will *not* fix the problem. For more information on what actually is causing the message from F-PROT, I'll quote F-PROT Professional Update Bulletin 2.08 from April 1993: Questions & Answers -------------------- While I was checking a diskette with F-PROT's heuristic analysis, all of a sudden I received the message "An active Stealth virus was found in memory". I couldn't find this virus, however, not even after a clean boot. What is happening here? Cold-start the computer from a clean diskette and run the check again. If the virus cannot be found from the hard disk or diskettes, the situation was caused by something else than a stealth virus. While checking files, F-PROT also continually monitors the stat= e of the operating system. When F-PROT begins to examine a file, it marks up its assumed size, and, after the file has been searched, compares it to the actual file size. If there is a discrepancy, it can be assumed that something is feeding the operating system counterfeit information - something that activ= e stealth viruses are known to do. A similar situation may also arise if the disk's directory system contains corrupted data. If the disk contains two files with the same name in a single directory, the second one cannot be handled with any of the functions of DOS. F-PROT will thus compare the file length to the value DOS announces for it. When= the two values do not match, F-PROT remarks on this. Because DO= S does not allow the creation of two files with the same name in = a single directory, it can only result from an error situation or= a deliberate alteration. The same message results also if the disk contains a file that has been named after a device or a driver. Such names are, for example, COM1, PRN, LPT1, EMMXXXX0, CON and CLOCK$, and they ar= e exclusively reserved for DOS's use. Through these virtual names= , data can be conducted directly to devices. DOS does not allow files to be named after device drivers, but such a file may result due to an error situation, or also if a diskette has bee= n used in some other computer environment. In this case, F-PROT tries to compare information from a real file and a virtual device. Naturally enough, the two do not match. Logical disk errors such as the ones described above can be corrected by using the Norton Utilities or a similar tool programs. - -- Mikko Hermanni Hypp=F6nen // mikko.hypponen@datafellows.fi Data Fellows Ltd's F-PROT Professional Support: f-prot@datafellows.fi Computer virus information available via WWW at http://www.datafellows.= fi ------------------------------ Date: Fri, 17 Feb 95 03:21:32 -0500 From: xdos@cybrtxt.com (Race Banner) Subject: Re: New Stealth Virus?? (PC) Kamil Bukala wrote: > I think I might have a virus, due to the following reasons: > > nul 982 2-05-95 3:28p > 982 bytes in 1 file(s) 2,048 bytes allocated > 600,064 bytes free > > An active "stealth" virus has been found in memory. You should reboot > the computer from a "clean" system diskette. > > Has anyone encountered this before, know what virus it is > or how to clean it (I want to clean it as the backup of my HD is > now nonexistent).. > > Please reply (if possible) to ac529@cfn.cs.dal.ca (Kamil Bukala).. Though I'm no expert, a 982 byte file shouldn't take up 2 allocation units (ie 2048 bytes) but just one. That would seem to confirm a piggyback of some sort. Here are some things I would try (warning: novice giving advice, very dangerous!!) 1) try doing an attrib *.* /s -hrs on the affected drive 2) dir nul. > file1.txt 3) dir nul.* > file2.txt 4) compare the contents of file1 and file2 to see if any differences show up. Look for nul.com or nul.exe files that shouldn't exist or are newer than the original nul file. Delete any nul.* files that don't belong, and remember to replace the attributes of any files that were effected by the attrib command. Probably won't catch any of the advanced virii but may get an easy one. - -- He who controls the information, controls reality. ------------------------------ Date: Fri, 17 Feb 95 03:29:27 -0500 From: sea@montego.umcc.umich.edu (Steve Arlow) Subject: New version (?) of Satanbug (PC) I have discovered what appears to be a new version of the Satanbug virus. It may even be a "natural" mutation caused through interaction with another virus. Anyone with similar symptoms, or details on Satanbug's MO, please let me know. SYMPTOMS: The afflicted system (not mine, thankfully!) displays a variety of bizzare symptoms, seldom the same twice, but with a marked tendency towards "invalid instruction" exceptions. The latest versions (all January, 1995) of F-Prot, SCAN, and TBAV do not detect any infection in executables, BUT after mucking about in Windows, the Satanbug signature can sometimes be found in the permanent swap file. This seems to suggest an imperfect polymorphic and/or encrypting virus that cannot always generate/decode itself properly. The "improperly infected" file then crashes until it gets re-infected with a version of the virus code that works correctly. HISTORY: Machine's owner reports various inconsistant problems, most noticably under Windows (sounds like any other computer so far! ;) ) The problem has grown progressively worse, with symptoms showing up earlier and earlier until machine can no longer always finish booting. Finally, similar symptoms appeared on another system immediately after contact with a diskette from the suspect system. (Okay, at this point it sounds like a virus.) When I was first asked to examine the system, I happened to have a copy of F-Prot 2.13a (rather old) on a clean bootable floppy in my briefcase. F-Prot 2.13a detected Stoned.Empire.Monkey.B on the hard disk, and removed it successfully. Once the hard disk was disinfected, I ran F-Prot off of the hard disk and began scanning floppies. Two groups of floppies were positive for S.E.M.B: an older group traceable to the owner's former employer, and those which had been used recently. This suggests that he had S.E.M.B dormant on old floppies, and infected the hard disk only recently. When scanning floppies in the B: drive, I noticed an odd behavior: F-Prot would try to access the A: drive first, get an error, and then continue on as if nothing unusual had happened. F-Prot does not normally do this in my experience... Since I was now running off of the newly "disinfected" hard drive, it is possible that a second (undetected) virus was now in memory. Eliminating S.E.M.B did not eliminate the symptoms. Two days later, I returned with F-Prot 2.16 and the latest McAfee and TBAV on a clean-booting floppy. None detected any infection, save for a few suspicious files (mostly "install" programs) reported by TBAV's highest level of heuristics, and I presume these to be false positives. But then I found a Satanbug signature in the Windows permanent swap file. I deleted the file, let Windows re-create it, scanned it. After running in Windows for a while, the signature eventually shows up in the swap file. NOW WHAT? I don't have time to sit down and try to reverse-engineer a virus; besides, there are presumably folks who do that for a living. Is there some standard "bait" file that I should try to infect? If I do come up with an isolated copy of the virus, should I post it here? - -- Griffy: "We must NEVER let down Steve Arlow, Yorick Software Inc. our vigil against 39336 Polo Club Dr. #103 ANTHROPOMORPHISM!" Farmington Hills, MI 48335-5634 Zippy: "Woof." yorick@mail.msen.com ------------------------------ Date: Fri, 17 Feb 95 04:28:46 -0500 From: Mr Israel Kay <100112.2001@compuserve.com> Subject: Virus - Espejo (PC) Ian Guthrie writes: > F-PROT 2.16 has detected a new virus called ESPEJO that we believe is > from Mexico. F-PROT is not able to disinfect this virus. Any assistance > is appreciated. Espejo is fairly new. It is a boot sector virus and part of it is encrypted. It has a message in Spanish: "Esto te pasa por programas que a nosotros nos cuesta tanto trabajo hacer. Que te quede de Experiencia, Mexico,1994" If someone out there understands Spanish, please translate :-) Drivers for disinfecting Espejo should appear very shortly in the popular AV packages. In the interim I advise you to look at the NEW_VIR.DOC file included with F-P216. This will instruct you further. Kind regards, Israel I'M ALL FOR COMPUTER DATING, BUT I WOULDN'T WANT ONE TO MARRY MY SISTER. ********************************************************************* * I S R A E L K A Y * * IT Security Consultancy, London Office, * * 137 Wargrave Avenue, London, N15 6TX. UK. * * Tel: +44 181 800 7278 Fax: +44 181 802 9880 * * CIS: 100112,2001 Internet: 100112,2001@compuserve.com CIX: ik * ********************************************************************* ------------------------------ Date: Fri, 17 Feb 95 07:29:06 -0500 From: "Frans Veldman" Subject: Re: Acces control, viruses and InVircible (PC) Samuel Chang writes: > To make a long story shorter, I chose a higher saftey configuration PROT > offered and ran the computer without problems. Several hours later, I > registered InVircible and rebooted the computer, but this time, I found I > was locked out of my own machine! After a phone conversation with PROT's > tech-support, it was eventually learned that PROT interpreted InVircible's > writing to the hard drive (its registration information), a breach of security > and locked all users out of the computer, including me. Tech-support indicated > that this was the user's mistake (RTFM) and that there was no software from > their company that was created to restore a hard drive in such instances. > Basically, I was dumped to deal with my own problems - significant problems since > I could not boot from the hard drive or floppy. PROT just sat in the partition > sector and rerouted all information taking my computer hostage. > > *** What's the moral of the story?*** > Curiosity killed the cat - as well the fact that InVircible is an > incredible piece of programming! Having read comp.virus regularly, > perused anti-viral reviews, and keeping up with developments in the AV > field, I was hesitant to make InVircible my primary source of > protection. But after this experience, I can say with whole > heartedness, "I BELIEVE IN IV!" > I do understand from the above: 1) Due to an incompatibility with a password program, InVircible caused your machine to lock up, while the other anti virus producs did not cause any problems at all. 2) Now you think InVircible is a great product, because it caused a problem? Hmmm. If MY product causes a conflict with a password utility, or even displays a message that the partition record is being changed, they always blame ME. Anyway, I think the master boot record is a restricted area, only ONE program can be allowed to change and control it. The fewer programs fiddle with the master boot record, the fewer conflicts you will have. Programs should try to find another place to store/hide information. You have only ONE master boot record, you know, but plenty of other sectors. If two programs cause compatibility problems because they fight over the use of the master boot record, then BOTH products are guilty. > A word of merit and recognition is deserved on Michael Paris' part. > He not only restored my system (a big plug for InVircible's disaster > recovery features), but stayed to demonstrate, with a handful of > contained test viruses, how effective InVircible was in dealing with > virus attacks as well. I watched in amazement as the test viruses > bypassed VSAFE at its highest level of security, infected files > without detectable change in file size (with the DIR command), and > attacked parts of InVircible itself. Any anti-virus developer can perform these shows. There are plenty of viruses, and for every purpose you can find a virus. However, since it is unethical, and to more intelligent customers too obvious that the choice of viruses is dependant on the anti-virus product you are plugging, nobody is using these demonstrations to sell his product. - -- Thunderbye, Frans Veldman <*** PGP public key available on request ***> Frans Veldman Phone (ESaSS) + 31 - 8894 22282 veldman@esass.iaf.nl Fax (ESaSS) + 31 - 8894 50899 2:282/222.0@fidonet Fax (VirLab) + 31 - 59 182 714 ------------------------------ Date: Fri, 17 Feb 95 13:15:55 -0500 From: Michael Straight Subject: Trying to Clean Athens-Help (PC) We were infected with Athens yesterday. Last night we cleaned all 450 computers only to discover this morning that Athens had gone stealth and we are all reinfected today. Some of the software we are trying to use to fix this mess is starting to get infected. We have called in the experts and they have called in their experts. I am not sure if we are making progress or not. Does anybody have some information we need to consider? - -Michael Straight ------------------------------ Date: Fri, 17 Feb 95 13:59:10 -0500 From: iandoug@cybernet.za (Ian Douglas) Subject: Re: Zipped files and detection? (PC) Talk to Me (peteman@wam.umd.edu) wrote: > Can viruses be detected in zipped files scanned by a McAfee or > MS-doctor scanner? No, but AVP can scan inside archives. Cheers, Ian - -- - ----------------------------------------------------------------------------- Ian Douglas Lead, Follow, 35 InterNet: iandoug@cybernet.za P.O. Box 484 or get out of 1,73 FidoNet: 5:7102/119 7532 Sanlamhof the way. 57 TopNet: 225:2048/1 South Africa (Ted Turner, CNN) XNTX PGP key available. - ----------------------------------------------------------------------------- ------------------------------ Date: Fri, 17 Feb 95 17:33:05 -0500 From: Roberto Parker Subject: Natas AV (PC) We have a Natas AV that will detect and remove the virus from your PC. It also has a TSR that will disinfect floppy boot sectors on the fly. Remmember Natas will reformat your Hard Disk... eventually Regards Roberto Parker ------------------------------ Date: Thu, 16 Feb 95 14:32:55 -0500 From: virusbtn@vax.ox.ac.uk Subject: Re: InVircuble reivew in Virus Bulletin Zvi Netiv writes: > I am the author of InVircible, the product that the Virus Bulletin > "reviewed" in its December 94 issue. Hello, Zvi. I've deliberately stopped myself jumping in until the last round of arguments, but I've decided that this whole thread is in danger of becoming pointless. So let me make a few very brief points. > etc. The poster may also have noticed that the Bulletin didn't attach any > comments to the review from the products developer, which is only > courteous, to balance the negative and highly opinionated article. Let me put the record straight here. I offered you 500 words to say *whatever you liked*, which would be published before the review. I don't think any other publication would do that. You chose not to take me up on this offer. That was up to you, but it does rather colour your statement about not putting any comments on the review from you. > publication" about virus and antivirus matters. Somewhere in the fine > print, one will find that the Bulletin belongs to the Sophos group, which > is the producer of Sweep, a scanner based antivirus package that competes > with other scanner based AV software. To support its appearance of We've never tried to hide our relation with Sophos, as it's not something which needs to be hidden. Judge me on what I print. If I were out to promote Sophos above all others, I would not be trying to nail minor players in the industry, but the main Sophos' competitors, (Dr Solomon's AVTK, F-Prot Professional, TBAV etc.). However, you'll note they usually do pretty well in comparative reviews. It's a little naive to think that VB would have survived for the five/six years it has if it were just the extended marketing arm of one vendor. > to viruses. Their motive was simple: To kill InVircible as a viable > competitor to their own conceptually outdated product before it became a > real threat to the established and entrenched AV industry, and probably to > the very existence and need for a publication like the Bulletin. Out of interest... do you _really_ believe this? > The editors weren't ignorant of the fact that a product like InVircible > could develop to the stage it has without needing virus sources and > libraries, at all. The antivirus industry's existence depends on its That's your opinion, and you're entitled to it. > When I told Richard Ford that his review was full of factual errors and > that the reviewer didn't even evaluate all of InVircible's different > functions (the reviewer admitted this himself!), he then gave me the > Devil's choice: Either to add a 500 word rebuttal, or to see the review > published without it. I asked in return either to publish my rebuttal in > the same issue, with the same length as the VB review, or to abstain from > publishing the maliciously intended and fabricated review. I would have > been a fool to legitimate the review by accepting Richard's disingenuous > and deceptive offer of a 500 word rebuttal. Richard has ignored my > messages and faxes since I refused to accept his offer; and, he didn't > even give me the courtesy of informing me that the Bulletin published the > review. As said earlier, I do not subscribe to VB and I have no intention > of doing so. Zvi. I ignored your later posts because they all started to read like this one. And 500 words of free space is hardly a 'disingenuous' offer, if used wisely. I kept replying to your posts in an open and friendly manner until you started posting me threats and demands. VB prints the truth as it finds it. No amount of rhetoric will change that. It is what its subscribers need, and it is what they pay for. I'll _discuss_ any and all of the reviewing process, because I'm keen to make Virus Bulletin a better journal. Better reviews lead to better products. This in turn leads to better value for users, so everyone wins. However, you don't seem to want to _discuss_ anything. > The biggest farce was yet to come. Since I didn't want the Bulletin to > make "corrections" to the flawed review, I requested that the floppy with > the program be returned to me and THAT THE REGISTRATION BE UNINSTALLED > BACK FROM THE HARD DISK TO THE FLOPPY, before it was returned to me. Dr. [stuff deleted] > When I checked the returned diskette, the TWO REGISTRATION KEYS WERE ON > THE FLOPPY, which simply means that the software was never installed > properly to the hard disk; and, the reviewer could not, and did not, > evaluate InVircible in it's "full authorization" mode of operation. If there is a problem with the installation routines, that is your problem, not mine. Yes? > Rather than leave you guessing about the many errors and factual > inaccuracies in the Bulletin's review I have made annotations to the > pre-publication copy of it sent to me by Richard Ford, below. Reproduced without my permission, I might add. I won't reply to all of this, as much of it speaks for itself. > unforgivable. Dr. Jackson's failure(s) reflect negatively on the Bulletin > and its editor as well, don't they? I believe so especially since I gave > Richard Ford notice of the above failures prior to publication of the > review! Personal attacks hurt nobody but yourself. > If Dr. Keith Jackson represents the standard stuff published in the Virus > Bulletin, then it's hard to understand who would subscribe for the dubious > privilege of receiving such garbage regularly for the cost of $400 a year. So after accusing the scanner manufacturers of insulting the intelligence of their users, you now say all VB readers are easily duped? Most of the readers of VB as sharp, well informed, and have a good grip on the issues. They represent some of the biggest companies in industry. One thing you cannot say about them is that they a stupid: they are far from it. VB comes with an unconditional money back guarantee, that if a subscriber wishes to cancel their subscription at any time, we will fully refund the cost of all unmailed issues. It's on the flyers we distribute. I can't remember the last time anybody used this because they thought the magazine wasn't a worthwhile publication. > My conclusion, avoid pompous publications lacking in professional > etiquette and courtesy such as the Virus Bulletin. All I can say is that VB costs real money to put together. It pays its contributors, and in the view of (I would hope - they keep re-subscribing) its readers, tells things like they are. Most of Virus Bulletin's readers are in large corporates. They need to know which products work and which do not. I stand by this review, and the conclusions drawn. While I would be the first to admit that Invircible has some clever ideas in it, I don't think they are the cure all you think they are. Isn't it better to stop a virus at the door, than risk it getting onto a work machine? And I have always followed professional etiquette, and been courteous in my dealings with you. > Version 6.01 was offered and made available to the Bulletin as early as > October 94, but was ignored, as were all my messages. Maybe that message mysteriously got lost between my machine and yours. I believe that I sent a message explaining that the review was already in progess. VB reviews what it is sent... the first time. We can't stop every time someone sends in an update. Either way, I clearly did reply at some point, because everything you've posted here has been drawn from personal Email I sent to you, used without my consultation or consent. And that, I feel, does breach what is considered professional etiquette. Regards, Richard Ford Editor, Virus Bulletin. ------------------------------ End of VIRUS-L Digest [Volume 8 Issue 17] *****************************************