VIRUS-L Digest Tuesday, 28 Feb 1995 Volume 8 : Issue 19 Today's Topics: Virus Bulletin Re: Virus Bulletin Does Unix Virus Protection Exist? (UNIX) Espejo virus (PC) Keyboard Infected with GENB (PC) GENB Identification (PC) Windows Crashes, Virus suspected (PC) Re: ANTICMOS B - "Loading Bootstrap..." (PC) surviving warm or cold boot (PC) Help: "Spectre" virus. (PC) In Vircible - A Recent Review - Where to obtain? (PC) Time for new virus protection! (PC) Looking for info on Vsign/Cansu virus (PC) Re: 69 virus (PC) Re: Utilities (PC) Re: surviving warm or cold boot (PC) Re: Virus scanner for dos 4.0 or less? (PC) Re: "daboys" virus...HELP!!! (PC) Re: Best AV software for LAN? (PC) Re: Virus Protection Software (PC) Re: Recommendations for behaviour blocker? (PC) Re: Need help selecting virus softwares (PC) Looking for Invircible (PC) Is Scan 2.1.3 and 2.1.4 buggy?? (PC) Re: FORM (PC) Illegal file names (PC) RE: Looking for help anti-virus recommendation (PC) re: Fighting The Stealth C (PC) Baudrillard/Virus (PC) ANTICMOS B virus (PC) Re: F-PROT's Virstop.. How effective is it? (PC) "ESTO TE PAS" - anyone heard of this one??? (PC) HD2 virus help (PC) Re: New version (?) of Satanbug (PC) Re: help I have a virus.. I think (PC) Re: Junkie (Junkey, Junky) Virus (PC) Re: FORM (PC) Heard of Beijing virus?? (PC) Re: Fighting The Stealth C (PC) Need help fighting FLIP2 virus! (PC) RIPPER virus, Need Details (PC) Yes Virginia, there is a ... (Was: Re: Do you believe in GENB? (PC)) F-PROT Gatekeeper Antivirus - free test phase in progress (PC) Product Test Report PT-76, CryptoMactic (Macintosh) NCSA Security Conference VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CORSA.UCR.EDU (IP number 138.23.166.133) or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CORSA.UCR.EDU. Administrative mail (e.g., comments, suggestions, beer recipes) should be sent to me at: krvw@ASSIST.MIL. All submissions should be sent to: VIRUS-L@Lehigh.edu. Ken van Wyk ---------------------------------------------------------------------- Date: Thu, 23 Feb 95 08:14:18 -0500 From: njb@knoware.nl (Niels Bjergstrxm) Subject: Virus Bulletin The integrity of Virus Bulletin has been discussed in a number of postings recently, and the discussion deserves to be lifted a bit above the flying mud level, because it is significant. First - for what it is worth - please allow me to express my full confidence in the personal integrity of editor Richard Ford and the Sophos management. It is true that they are able to talk to each other without leaving their seats or using an intercom. I don't think this has ever influenced the contents or attitudes of VB in a scheming or conscious manner. Nevertheless the close companionship between Sophos and VB may exert an indirect influence. I think most readers will agree that VB is *extremely* conservative and very late to embrace new technologies or even to test and explain these. This agrees very well with the scanner-based (obsolete?) technology used in all Sophos products. It is a tendency, which will not help users discovering and switching to modern cost-effective technologies and away from virus scanning, which is a 90% waste of time. VB has just invited a discussion about their scanner-test techniques, but I think the point is that these tests are so misleading that they should not be published at all by a publication wishing to be authoritative in our field. A scanner in a modern anti-virus system basically has two roles: (1) To ensure that a system is clean at installation time, and (2) to identify the causes of alarms from the active components of the anti-virus system. How important (1) above is depends on the quality of the stealth avoidance technology inherent to the anti-virus system in question, and (2) can be replaced by proper hot-line service (we still see more actual damage caused by people attempting to clean up after virus attacks than by the vira themselves). Thus, using the detection capability of a scanner as a measurement of anti-virus system quality is senseless. A publication wishing to play an authoritative role must have the necessary funds and editorial strength to perform relevant tests, i.e. to perform full evaluations of all aspects of anti-virus systems and assess their quality from the point of view of raw security, cost-effectiveness, etc., the parameters needed by management to make an informed choice! It seems that noone is currently able to lift this burden in the anti-virus field. We also have to accept the fact that independent and impartial information is not easy to come by in this field, since the leading publications are affiliated with product manufacturers. Niels Bjergstrom Commercial Director Computer Security Engineers, Ltd. Email: njb@knoware.nl ******THE VACCINE DEFEATS THE VIRUS****** ------------------------------ Date: Thu, 23 Feb 95 19:32:25 -0500 From: "Frans Veldman" Subject: Re: Virus Bulletin emd@access3.digex.net (EMD Enterprises) writes: > EMD>> VIRUS BULLETIN IS OWNED BY THE SAME INDIVIDUAL(S) WHO OWN SOPHOS, > EMD>> A U.K. COMPANY WHICH SELLS SWEEP, A SCANNER BASED ANTI-VIRUS PRODUCT > > While Sophos may not have been top rated in the past reviews, it > almost always finished near the top. Indeed, there would be a blatant Maybe it is just not a bad product? > But that is not the point. There is a credibility problem with > Virus Bulletin that people in the anti-virus community need to be aware > of. What would you feel if Microsoft started a magazine and began > reviewing its own products as well as competing products? Would you > ever believe those reviews no matter how loudly Microsoft proclaimed > the objectivity of the magazine? > > No problem here, but don't you think that for the sake of fairness > these experts should not be employed by, or associated in any way with > any anti-virus product manufacturer? Let's face it: 1) There are no independant capable anti-virus reviewers. All people who really understand the issue are working in the anti-virus industry. The ones that are not are not able to review a product. 2) Given the above, we need to select some people from the anti-virus industry to do the reviews. I'm not going to list them all, but there are quite some publishers who are blatantly plugging a certain product. 3) Virus Bulletin may be affiliated with one specific product, but: Several other people from other anti-virus companies are affiliated with Virus Bulletin. One example is Fridrik Skulason who is also technical editor of Virus Bulletin. Note that Frisk and Sophos are competitors. If ever the impression arrises that Virus Bulletin is the marketing arm of Sophos, all these 'foreign' people working for Virus Bulletin will disappear. They are still there... They guarantee the independance to some degree. Of course I also have had quite some discussions with Virus Bulletin, but unlike some other 'reviewers' they are at least willing to listen. As soon as I get the impression that the tests are unfair, I will probably be the first one to make noise about it. 4) If we have to accept that there are no completely independant reviewers, (and we have to accept that) then Virus Bulletin is not a bad alternative. > FV> The real problem are the users. All they want is scanners. So the > FV> reviewers keep on reviewing scanners. > > Users want scanners because they have been led to believe that > they must have the latest virus signature for effective virus > protection. This sustained PR campaign from scanner based product > manufacturers have worked very well in convincing users that they must > periodically purchase updates to keep up their defenses. To my experience and opinion, this is not true. We also have an anti-virus hardware product, just like you. We still sell it, but if we explain the pro's and con's of both our products (software based and hardware based) people prefer the software based solution. WE didn't convince people that they need scanners, the people convinced US that we should make a scanner. Consider for instance a company with 5000 PC's. Do you really think they like the idea to open up 5000 PC's to insert a card, then to reconfigure all the memory managers (because an Eprom is added), to find a hardware conflict in 2% of the cases (still being 100 PC's! (= 100 employees stopping their work)), etc? And then I'm not even speaking about the prices of a hardware product which can not be discounted as much as software. > We hope to change all that though. I invite you to visit us in It would also open a new market for us if that happened. However, I highly doubt that there is a large market for anti-virus hardware. I wish you all the best. - -- Thunderbye, Frans Veldman <*** PGP public key available on request ***> Frans Veldman Phone (ESaSS) + 31 - 8894 22282 veldman@esass.iaf.nl Fax (ESaSS) + 31 - 8894 50899 2:282/222.0@fidonet Fax (VirLab) + 31 - 59 182 714 ------------------------------ Date: Thu, 23 Feb 95 17:57:31 -0500 From: skhan@osf1.gmu.edu (Shahab R Khan) Subject: Does Unix Virus Protection Exist? (UNIX) I have gotten into a heated discussion with a friend about whether there are any Unix viruses out there. He believes there are. I don't think so. I use SCO unix at work and grew up on Ultrix in school, and I never heard of or came accross any Unix viruses, as opposed to DOS viruses which infect files and memory. I am telling him that threats to Unix are of a different kind, those posed from hackers trying to break in, and not files that corrupt memory and mess up other files. Though come to think of it, I could write something that would do _some_ damage if executed, but only if executed. How can you have memory resident viruses in unix unless they are booted up with the system? Also, I have _never_ heard of any Unix virus protection software packages, eve shareware. Can anyone give us an idea which one of us is out of our minds? I'd really appreciate the help. In case you feel like engaging both of us in our so far stimulating disscussion, you can cc: him too, at azaidi@cne.gmu.edu. Thanks in Advance! - -- Shahab Raza Khan George Mason University skhan@osf1.gmu.edu Fairfax, Virginia After a number of decimal places, nobody gives a damn. ------------------------------ Date: Wed, 22 Feb 95 14:44:09 -0500 From: rsr@violet.berkeley.edu Subject: Espejo virus (PC) Ian Guthrie writes: > F-PROT 2.16 has detected a new virus called ESPEJO that we believe is > from Mexico. F-PROT is not able to disinfect this virus. Any assistance > is appreciated. This virus showed up here last year. Frisk rigged up a special version of F-PROT that can detect the virus. It can be removed with FDISK /MBR. I don't have the original post, but if Ian Guthrie can send me his email address I can forward the special copy of F-PROT. Roger Rosenblum rsr@garnet.Berkeley.Edu Workstation Software Support Group, IST/WSS 297 Evans Hall University of California, Berkeley, Ca 94720 1-510-643-5385 (Fax) ------------------------------ Date: Wed, 22 Feb 95 15:06:40 -0500 From: divenuto@STCCIPHUB.STCC.MASS.EDU Subject: Keyboard Infected with GENB (PC) One of the PCs in our lab has a programmable keyboard. This fall the computer was infected by the GENB/GENP virus so I reformated the computer and re- installed software. Within hours it was re-infected without anyone using a floppy disk. This infection was manifested as sudden uncontrollable letters scrolling across the screen when using the keyboard. When I discovered that the keyboard was programmable, I decided to investi- gate the possibility that the virus was hidding in the keyboard buffer. I connected another non-programmable keyboard to the computer and did a cold boot with a write-protected disk. The computer kept protesting the keyboard but booted up anyway. To prove that the programmable keyboard was the source of the infection, I reformatted the computer again, installed only command.com, and reattached the programmable keyboard. After rebooting several times, the computer was again infected. Then, I set the keyboard to default to flush out the buffer, re-booted and reformated. After checking with the virus scanner to insure the computer was clean, I re-installed software and had no further problem. This is not an isolated occurrence as the same thing happened again this semester with the ANTI-EXE (GENB) virus. Since I now use F-Prot, I was able to flush the keyboard buffer and clean the virus from the computer without re-formatting. VRD Virginia DiVenuto Springfield Technical Community College One Armory Square Springfield, Massachusetts, USA 01105 Phone (413) 781-7822 ------------------------------ Date: Wed, 22 Feb 95 15:28:31 -0500 From: divenuto@STCCIPHUB.STCC.MASS.EDU Subject: GENB Identification (PC) I manage a computer lab at a community college. Most of the 21 networked PC's were infected with viruses this fall. Some of the manifestations of the viruses included beeping noises, garbage on the monitor when using the key- board, and automatic re-booting by the computer. The virus detectors we were using couldn't identify the infections so I reformated the hard drives and reinstalled local software. One of my students brought in a current copy of McAffee (2.17) and it identified the viruses present as GENB and GENP. However McAffee could only clean one virus from the boot sector. When I finally gained access to the Internet in January, I discovered F-Prot. It identified the GENB virus from the disks I collected as the ANTI-EXE virus. F-Prot is able to clean this virus from Boot Sectors. I hope this helps some people with GENB problems. VRD Virginia DiVenuto Springfield Technical Community College One Armory Square Springfield, Massachusetts, USA 01105 Phone (413) 781-7822 ------------------------------ Date: Wed, 22 Feb 95 15:52:21 -0500 From: dave@infi.net (Dave Hinde) Subject: Windows Crashes, Virus suspected (PC) We've been having an intermittent problem that we are beginning to suspect is virus related. We are running Windows (MS 3.10) applications off a Novell File Server (Netware 3.11). Windows will suddenly crash, and the PC will have nothing but an F: prompt. The user will be logged out. Sometimes they are returned to the C: prompt. This problem is very intermittent, moving from one system to another. It has now spread to another site. The problem first surfaced about 2 weeks ago, and is spreading in occurances. All these systems were working before. No new software or apps. The latest Intel Virus Scan is run at login time. Other virus products haven't found anything, yet (we've got upgrades coming). Any ideas or help would be greatly appreciated. Several other local Financial companies have been infected recently by different viruses. - -- __/,@ __ Dave Hinde /_o____o_| dave@infi.net - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- ------------------------------ Date: Wed, 22 Feb 95 17:27:14 -0500 From: m_norton@ix.netcom.com (Mark Norton) Subject: Re: ANTICMOS B - "Loading Bootstrap..." (PC) millheim@pond.com (Frank Millheim) writes: >I have a compaq laptop with "ANTICMOS B" reported by mcafee 2.14. 214 will >not remove it. I used 215beta, and it said "unable to remove ..." or >something like that, then it tried what it called "generic removal method #1", >and the virus now appears to be gone. > >But now when the machine boots up, right before DOS6 says "Loading MS-DOS..." >a line appears that says "Loading Bootstrap..." but the machine seems clean. I had the same problem on a TI travlemate. Mcaffe 2.15e showed up with ANTICMOS b for a while,... later that day, the virus could not be detected. I too get the funny little bootstrap message, and I was sure that it hadn't done that before. Strange now the "virus" appears to be gone. Does anyone know of the symptoms of ANTICMOS b? Thanks, m_norton ------------------------------ Date: Wed, 22 Feb 95 17:30:56 -0500 From: Iolo Davidson Subject: surviving warm or cold boot (PC) A.APPLEYARD@fs2.mt.umist.ac.uk "A.Appleyard" writes: > Then, if a PC is infected with Exebug, how to genuinely clean boot > it from a clean floppy? Go into setup and make sure that drive A: is specified correctly, then allow the boot to continue and it will boot from the floppy. This is difficult if you have a PC with the setup program on a disk (like some IBMs), though. > What is Burma Shave? Stuff some people shaved with before 1963. - -- THO STIFF IT SHAVES THE BEARD LIKE DOWN WITH THAT NATURE GAVE Burma Shave ------------------------------ Date: Wed, 22 Feb 95 18:27:58 -0500 From: ccscon22@dag.ccs.carleton.ca (David bissessar) Subject: Help: "Spectre" virus. (PC) A friend has asked me if I could recommend a tool to detect and remove "Spectre" viruses. He tells me of a recently spotted "Casper" virus that all his AV programs cannot detect. Can any one recommend a tool to take care of these viruses? Any help is greatly appreciated. Regards, David Bissessar School of Computer Science Carleton University Ottawa, Canada 1(613)727-8312 ------------------------------ Date: Wed, 22 Feb 95 19:58:38 -0500 From: fdeeg@ix.netcom.com (Fred Deeg) Subject: In Vircible - A Recent Review - Where to obtain? (PC) I have only recently been following some apparent debate of NetZ's virus program. What peaked my interest in this product was a recent newspaper article in a LA (CA-USA) newspaper, "The Daily Breeze", written by a Dwight Silverman of the "Houston Chronicle". He reports on a study recently done by Paul Williams @ Compaq Computer. Mr. Williams apparently did tests on eight popular checkers. Williams wrote: "InVircible had an amazing 100 percent virus detection rate, with a 0 percent false-detection rate, including when tested against brand new visuses". BTW, I have no ax to grind, nor want to get into any debate as to whether or not this is a valid conclusion. I am just a very active PC user and wish to evaluate this program. Up to now, I was only aware of the *big players*. One conclusion that I have clearly come to that in order to practice *totally safe computing*, esp on the net, one should be well armed with several ones and stay alert. Read: Don't let your guard down. Where might I locate this program? Any comments or suggestions would be appreciated. The word of the day: "Computer is down. Please *think* until further notice. Fred ------------------------------ Date: Wed, 22 Feb 95 20:12:51 -0500 From: markle@acsu.buffalo.edu (Erin D Markle) Subject: Time for new virus protection! (PC) Hi! Since acquisition of The Internet Yellow Pages I seem to be downloading an awful lot. :) I have as yet not encountered any virus problems, however, the only protection I currently have is a three year old version of Virucide. I was on the oakland ftp site and saw the multitude of virus protection programs and was, frankly, daunted. I would appreciate it if someone could make a suggestion. Please post here or if you prefer e-mail send mail to bb635@freenet.buffalo.edu as all incomming mail seems to bounce off this account, listing it as inactive. (I'm looking into it) :) Thanks very much in advance, Erin ------------------------------ Date: Wed, 22 Feb 95 21:13:25 -0500 From: gt7783b@prism.gatech.edu (No one in particular) Subject: Looking for info on Vsign/Cansu virus (PC) Like it says; I have no information on this virus, and as it has made the rounds on campus a while back, I would like to know more about it. I know I can detect it with F-prot, but a computer disinfected with McAfee's Clean (I don't know what version) still showed infection with F-prot, and wouldn't clean. Any information would be appreciated. Thank you for your help. Wes - -- Wes McRae gt7783b@prism.gatech.edu "If it can't kill you, it's not a Sport!" Smoke * Noise * Fear ------------------------------ Date: Thu, 23 Feb 95 00:27:46 -0500 From: jadestar@netcom.com (Jim Dennis) Subject: Re: 69 virus (PC) In days of yore (13 Feb 1995 13:36:57 -0000) Gerald Khoo (cceksw@leonis.nus.sg) bespake: :Shepherdson Cuthbert Nicholas (cuthbert@temasek.teleview.com.sg) wrote: :: The virus can spread very easily. All you need to do a DIR :: command on an infected diskette, and the virus goes into the memory of your :: PC. Every disk that you do a Dir is also infected. I don't know of any virus that could become memory resident by the execution DIR command. I also don't know of any mechanism by which this could happen. If you are booted clean you can't catch a virus by accessing data on a diskette. A directory is just data -- there is no code nor are there any hooks for a virus to link into. :This virus is know by different names on different software : F-PROT 2.16 - Sampo : MacAfee 2.14 - 69 : SWEEP - Wllop :However, the only software that can clean the virus so far is F-PROT 2.16. :You can also try FDISK /MBR. McAfee can kill Sampo (69) -- no problem (I've done it). I think even NAV can find this (I don't know if it removes it). - -- //////////////////////////////////////////////////////////////////////////// JaDeStar Disclaimer !?! I don't need no STINKIN' disclaimer! That's what I pay NETCOM for. ------------------------------ Date: Thu, 23 Feb 95 01:29:57 -0500 From: jadestar@netcom.com (Jim Dennis) Subject: Re: Utilities (PC) In days of yore (22 Feb 1995 13:20:32 -0000) naoh@yvax.byu.edu bespake: :I was wondering if anyone knows of a program that will do the following: : - Write a generic boot sector to a floppy disk SYS A: or Norton Utilities 6.0 or + (DISKTOOL) : - Scan for bad sectors, and rewrite them with null characters, and then mark : them as good NU DiskEdit (to do it manually) or DISKTOOL : - Decompile machine language from a sector on a disk. Assuming that DEBUG isn't what you're looking for :) you might want to try McAfee's ProView (DOS and Windows versions are on their FTP site and BBS). There are also a bunch of disassemblers on oak (and mirrors) in the /pub/msdos/ asmutils (?) directory. :The reason is that there are some viruses that the virus cleaner :programs don't work on yet, but are simple boot sector viruses. (The :FDisk command doesn't work on floppies!) Thanks! Usually I'd recommend just XCOPY'ing the diskette to a temp file, noting the volume label --if any-- and reformatting the diskette with the /U parameter (assuming DOS 5.0 or later) or just reformatting it as normal (with earlier versions of DOS). - -- //////////////////////////////////////////////////////////////////////////// JaDeStar Disclaimer !?! I don't need no STINKIN' disclaimer! That's what I pay NETCOM for. ------------------------------ Date: Thu, 23 Feb 95 01:53:22 -0500 From: Mesmer@ix.netcom.com (John Harrington) Subject: Re: surviving warm or cold boot (PC) "A.Appleyard" writes: >Iolo Davidson wrote:- > >Then, if a PC is infected with Exebug, how to genuinely clean boot it from a >clean floppy? Do what the virus does -- set CMOS to boot FIRST from A: and only from C: if there is no disk in A: - -- Mesmer John Harrington, C.Ht. 1@2732 WWIVNet Brandon, FL ------------------------------ Date: Thu, 23 Feb 95 01:53:26 -0500 From: jadestar@netcom.com (Jim Dennis) Subject: Re: Virus scanner for dos 4.0 or less? (PC) In days of yore (14 Feb 1995 11:38:12 -0000) Fridrik Skulason (frisk@complex.is) bespake: :salbando@selway.umt.edu (John Gebert) writes: :>Could someone point me to a scanner for dos 4 or possiblly an earlier dos? :>Our old Novell network is running on Dos 3.(something) and F-Prot doesn't :>seem to work. :Uh, pardon me, but as far as I am aware F-PROT works even on DOS 2.x -- it :will not work on DOS 1.x, however, but I would be extremely surprised if :anyone was still using that anywhere. :- -frisk Maybe he's having a problem with insufficient memory or some TSR/driver conflict. Incidently, I've used McAfee for years on my XT's (which all run DOS 3.3 or earlier -- later versions of DOS have nothing to offer the "classics" ( antiques? ;) ). - -- //////////////////////////////////////////////////////////////////////////// JaDeStar Disclaimer !?! I don't need no STINKIN' disclaimer! That's what I pay NETCOM for. ------------------------------ Date: Thu, 23 Feb 95 02:03:33 -0500 From: jadestar@netcom.com (Jim Dennis) Subject: Re: "daboys" virus...HELP!!! (PC) In days of yore (22 Feb 1995 13:20:07 -0000) Psychman (psychman@ripco.com) bespake: :: Removal Instructions: DOS SYS ^^^^^^^ :: better processor. Unlike other boot sector infectors, the DA'BOYS :: virus overwrites or rewrites the DOS boot sector. It does not make a ^^^ Errr.... I think the answer was posted in the question. This is talking about the volume boot record not the MBR (There is a boot record for each DOS volume on the drive and one "Master Boot Record" (MBR) for the whole drive. The MBR is OS independent -- the BR or VBR is a DOS specific thing) :: If this is true. It should be easy to remove the virus with fdisk /mbr. Wrong answer. Read the question more carefully. Get into a good diskeditor and compare the boot record to the master boot record (the partition table is at the end of the latter whereas the BIOS Paramter Block is in the former -- also the error messages visible in each are different). - -- //////////////////////////////////////////////////////////////////////////// JaDeStar Disclaimer !?! I don't need no STINKIN' disclaimer! That's what I pay NETCOM for. ------------------------------ Date: Tue, 14 Feb 95 14:16:48 -0500 From: miseurope@delphi.com Subject: Re: Best AV software for LAN? (PC) Doug Burnett writes: >What is the most widely used AV software on LAN. I'm new to the subject >and trying to figure out who the big players in LAN AV are. Cheyenne? >Intel? Who are the others? You might like to give EMD Enterprises a call in the USA they market an excellent anti-virus product. There number is 410-583-1575 and ask for Enrico DePaolis, mention my name Mark Mottershead if it helps. Good Luck ------------------------------ Date: Tue, 14 Feb 95 14:16:57 -0500 From: miseurope@delphi.com Subject: Re: Virus Protection Software (PC) writes: >I am the computer support person at a large non-profit organization. >Our license for our virus protection software has just expired. I am Richard, You might like to try EMD Enterprises if your in the USA they market an excellent product call EMD Armor PLUS the number is 410-583-1575 ask to speak to Enrico DePaolis tell him I sent you (Mark Mottershead). If your not in the USA call me in the UK on (44 )-(0)1622-817808 Ext 25 and I will assist you. Mark ------------------------------ Date: Tue, 14 Feb 95 14:16:53 -0500 From: miseurope@delphi.com Subject: Re: Recommendations for behaviour blocker? (PC) You might also like to look At EMD Armor PLUS call EMD Enterprises on 410-583-1575 ask for Enrico DePaolis he will be able to help. Good Luck ------------------------------ Date: Tue, 14 Feb 95 14:18:04 -0500 From: miseurope@delphi.com Subject: Re: Need help selecting virus softwares (PC) Fridrik Skulason writes: >>I like to purchase an anti-virus program for my company, but I >>don't have any idea which anti-virus program is currently the >>best one. There are many products on the market for Anti-Virus protection. One product which our company market is EMD Armor PLUS, this is a product that requires no update disks nor does it use any of the PC's conventional memory. Plus it will detect all Known and future viruses. If you would like more details please call Mark Mottershead in the UK on (44)-(0)1622-817808 Ext 25 or send me an e-mail. ------------------------------ Date: Thu, 23 Feb 95 09:25:53 -0500 From: Troyf@Perftech.com (Troy Forschner) Subject: Looking for Invircible (PC) I recently read about a virus checker I would like to try out. The program is called "Invircible" (INVB60.ZIP). If anyone has seen this program on the net let me know where to find it. Thanks Troy ------------------------------ Date: Thu, 23 Feb 95 09:44:57 -0500 From: e94_fhu@elixir.e.kth.se (Fredrik Hult) Subject: Is Scan 2.1.3 and 2.1.4 buggy?? (PC) Hi all.. I have a small problem with my PC. About a month ago, I think, I got Scan 2.1.3. When I scanned my computer Scan executed okay but when it checked my memory it stopped when it reached 608kb and yelled that it had found traces of the KOREA-virus in the memory. For some reason I started to play around with my autoexec.bat and config.sys to alter the drivers loaded.This led to reports of 4 differnet viruses. Is this possible or is there a bug in scan? I thought that scan _might_ be a bogus.. Another of the reported viruses was TEQUILA. Note: scan always stopped at 608kb. 2 days ago the virus hit me. It seemed to erease programs that were executed many times in a row, because I had received TBAV631 and used it a number of times to learn it's features. the TBAV-directory was the first to be destroyed. It seems like the virus crosslinks or partially overwrites the FAT. The affected directory looks something like this: #'@%7b~(.{^1 23454566 81-01-12 i.e. you can't access the files or the subdirectories. I run stacker 2.01 and I have 2 stackerdrives. C: and E: The virus has only (yet) damaged E:. I use E: for my new programs, while I almost never touch C: Does anybody know what has happened? Thankful for any help.. /Fredrik Hult ------------------------------ Date: Thu, 23 Feb 95 10:07:43 -0500 From: tkingrey@teleport.com Subject: Re: FORM (PC) writes: > A couple of questions about FORM... If it infects a non-system floppy which > is left in the drive at boot time and the computer attempts to boot from it ( > and obviously fails) will the virus still have infected the machine? > > Secondly, can it infect a clean machine by any other method other than an > infected disk being booted from? (eg disk reads) I'm fighting the FORM virus right now, on a LAPTOP used by my company. CPAV says it cleans the HD, but on reboot, CPAV says the disk is still infected. This is one nasty virus. The floppy disks used in a pc infected with this virus do not need to be boot disks. I inserted two different disks and copied some files to the infected Laptop. Both floppy disks became infected immediately. Cleaning them on another pc, destroyed the boot sector tracks, and all data on the floppys was lost. Both floppys had to be reformatted. It seems that I'm going to have to reformat the harddisk on the LAPTOP as well. CPAV can't clean it on this particular HD. The restore from a known good Backup. - ----------------------------------------------- Terry Kingrey - tkingrey@teleport.com - ----------------------------------------------- ------------------------------ Date: Thu, 23 Feb 95 11:11:17 -0500 From: "A.Appleyard" Subject: Illegal file names (PC) dalevy@sam.neosoft.com (David A Levy) wrote (Subject: help I have a virus.. I think. (PC)):- > Help me I have found a strange file on my hard drive that I cannot get rid of. it is listed as: JEN ON B 15227 1/26/95 a > when I try and change the attribute I get a message that the file cannot be accesed. ... dkromer@omni.voicenet.com (Dennis Kromer) wrote (Subject: Is this a virus? (PC)):- > Several days ago, I d/l a bianary picture, and after logging off, found a "file" that has no extension and "0" bytes. The file name is MORE THA but it cannot be deleted, erased, or in any other way moved off the HD. ... Something has created a file with a name containing an illegal character. As you can't put the name complete with illegal character into a command, you have no normal way to refer to that file in DOS commands. (1) Make a DIR to a file (with `> tempfile' or the like), then examine the DIR output with a suitable file-examiner to see if the illegal character in the funny filename is space or a control character or what. (2) To get rid of the funny file, COPY or MOVE files in that directory that you do want, into another directory, or `ATTRIB filename +r' them to make them read-only; then DEL *.* (3) Please: is there anywhere a package that will look through a disk for illegal filenames and ask you for a legal filename to rename them as? ------------------------------ Date: Thu, 23 Feb 95 11:24:06 -0500 From: gcluley@sands.co.uk Subject: RE: Looking for help anti-virus recommendation (PC) Are Aas writes: > Is there anybody who could give me some advise ? > (I'm new in this conferanse and in fact new to bbs as well) Virus Bulletin, a well-regarded virus newsletter, ran a comparative review of over 20 anti-virus products in their January 95 review. This may be worth having a look at as the review pointed out that many anti-virus products failed to find viruses commonly found in the wild. I can send copies to anyone who would like to receive this review - just send me a request by email. Also, Vesselin Bontchev at the Virus Test Center, University of Hamburg has done some thorough reviews of anti-virus software. > 2.) How can I scan self-extracting/zip/arj files ? (in DOS) Dr Solomon's Anti-Virus Toolkit can scan inside ZIP, ARJ, PKLite, LZExe compressed files. It can also handle ZIP and ARJ in their self-extracting forms and PKLite "unextractable" files. It does this recursively without having to write to the hard disk. Eugene Kaspersky's AVP program has a similar facility but I think that writes to the hard disk. Regards Graham - --- Graham Cluley [gcluley@sands.co.uk] Senior Technology Consultant, S&S International PLC, Alton House, Dr Solomon's Anti-Virus Toolkit Gatehouse Way, Aylesbury, Bucks, UK S&S International PLC +44 (0)1296 318700 ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, In the States contact: S&S Software International, Inc, 27660 Marguerite Parkway #C-250, Mission Viejo, CA 92692, USA Tel: 714 470 0048 Fax: 714 470 0018 [72714.2252@compuserve.com] ------------------------------ Date: Thu, 23 Feb 95 15:38:59 -0500 From: "David M. Chess" Subject: re: Fighting The Stealth C (PC) > From: FIELDS@ix.netcom.com (Mark Fields) > > According to the prevalence of articles in this news group, > I was utterly amazed recently when I discovered that the IBM virus > server didn't list the Stealth_C virus as one of the top ten virus' > infecting systems. Virus naming has always been a morass. In this case, what the McAfee Associates software is calling STEALTH_C is probably the virus whose CARO standard name is Stealth Boot.B. IBM AntiVirus 2.0 and above call it that; previous versions call it just "Stelboo". In fact, in our most recently-posted list, this virus was number 5, so it's definitely common! I'll give part of the IBM AntiVirus online help description of it: What: Resident diskette and hard disk master boot infector Size: Boot record and 6 additional sectors on hard disk or diskette Etc: When you boot from an infected diskette, the virus infects the hard disk. When you boot from an infected hard disk or diskette, the virus loads into memory and infects diskettes used in drive A or B later. While the virus is in memory, attempts to read an infected boot record will return a copy of the original uninfected boot record instead. While the virus has no intentionally-destructive effects, it will occasionally cause data loss on infected diskettes and hard disks. I'll make sure that we add "Stealth_C" as yet another alias for this virus in the next IBMAV (the helps for 2.1 have already frozen, though, I'm afraid). Thanks also for the chance to plug the IBM Computer Virus Information Center out on the Internet; see my .sig below. (The full URL is "gopher://index.almaden.ibm.com/1virus/virus.70".) I've just updated the ten-most-common lists (although we're still not as current as I'd like), and the virus descriptions (to bring them up to the IBMAV 2.1 level), so the Center should be even more useful than it was a couple of weeks ago... - - -- - David M. Chess | IBM Computer Virus Information Center High Integrity Computing Lab | gopher: index.almaden.ibm.com IBM Watson Research | http://index.almaden.ibm.com ------------------------------ Date: Thu, 23 Feb 95 16:05:48 -0500 From: Iolo Davidson Subject: Baudrillard/Virus (PC) metzler@uni-muenster.de "Jan-Christian Metzler" writes: > He also means that we have to think about a virus in a > 'objektalen` (German) way. It means that we have to think from > the view of the objekt (computersystem) to understand the > phenomenon of a virus. German is not the right language to think about viruses in. Try Welsh. - -- BIG MISTAKE INSTEAD OF MANY MAKE BRAKE RELY ON HORN Burma Shave ------------------------------ Date: Thu, 23 Feb 95 16:09:45 -0500 From: Iolo Davidson Subject: ANTICMOS B virus (PC) m_norton@ix.netcom.com "Mark Norton" writes: > I put a write protected diskette in the notebook, and it showed up with > somthing in memory called "ANTICMOS B". Every diskette I put in the > notebook showed up with this in the master boot record. Diskettes don't have master boot records. - -- BIG MISTAKE INSTEAD OF MANY MAKE BRAKE RELY ON HORN Burma Shave ------------------------------ Date: Thu, 23 Feb 95 16:51:21 -0500 From: kinkale@Shamino.quincy.edu (Lee Kinkade) Subject: Re: F-PROT's Virstop.. How effective is it? (PC) I have found that Virstop outputs a message to the screen, even when you are in Windows and running WordPerfect. The message looks just like dos text--it cuts through the button bar. In this situation you are not allowed to save your work, but you may exit windows normally or run f-prot in a dos window. Lee P.S. Windows eventally rewrites the screen. - --------------------------------------------------------------------------- kinkale@shamino.quincy.edu | "vi,vi,vi editor of the beast."---A.E.M "If you don't want to know the answer, don't ask the question." ---D.L.K. ------------------------------ Date: Thu, 23 Feb 95 17:17:59 -0500 From: l-field@tamu.edu (Larry Field) Subject: "ESTO TE PAS" - anyone heard of this one??? (PC) We sent a diskette out and the recipient called to say they detected the ESTO TE PAS virus on the diskette. Has anyone heard of this virus? I've used the most recent version of F-PROT and McAfee on the machine that generated the diskette and have found NO virus. Any ideas? Larry Field - Senior Systems Analyst Texas A&M University - B/P/P Operations Center Voice: (409) 862-2763 Fax: (409) 845-7973 Internet: l-field@tamu.edu ------------------------------ Date: 23 Feb 95 19:41:27 -0400 From: mmacphee@is.dal.ca (Moira Kathleen Macphee) Subject: HD2 virus help (PC) I have discovered a virus on two of our computers. It is called HD2. McAfee recognizes it on one of the computers, but it doesn't see it on the other one (unless McAfee is run from the hard drive, in which case it doesn't run because it becomes infected). In either case, McAfee won't clean it. Does anyone know about this virus, what it does, how to clean it? Thanks ------------------------------ Date: Thu, 23 Feb 95 19:32:28 -0500 From: "Frans Veldman" Subject: Re: New version (?) of Satanbug (PC) sea@montego.umcc.umich.edu (Steve Arlow) writes: > I have discovered what appears to be a new version of the Satanbug > virus. It may even be a "natural" mutation caused through > interaction with another virus. Anyone with similar symptoms, or > details on Satanbug's MO, please let me know. > > SYMPTOMS: > > The afflicted system (not mine, thankfully!) displays a variety of > bizzare symptoms, seldom the same twice, but with a marked tendency > towards "invalid instruction" exceptions. The latest versions (all > January, 1995) of F-Prot, SCAN, and TBAV do not detect any infection > in executables, BUT after mucking about in Windows, the Satanbug > signature can sometimes be found in the permanent swap file. To me, this doesn't look like virus activity. This sounds to me like a hardware problem. Viruses that are so buggy that they cause so many problems as you described above, rarely succeed to spread. Invalid instructions are often the result of garbage being written to disk. Garbage written to disk is often caused by a hardware problem. A virus found in a data file doesn't mean a thing. There is NO virus that only infects data files. There is a simple rule that says: if there is a virus signature in a data file, but I can't find it in any executable file, it is NOT a virus. This also implies that it doesn't make sense to scan for viruses in data files, UNLESS you have found at least one infected EXECUTABLE file. Satanbug uses lenghty patterns of a very restricted selection of bytes. Although these patterns are quite unlikely in executable files, they can quite often be found in data files. It was therefore a known fact that TbScan sometimes found a Satanbug pattern in a data file. To find this pattern in a Windows swap file doesn't surprise me very much. The most recent release of TbScan uses generic decryption to detect Satanbug, so the false alarm problem has been solved. > Machine's owner reports various inconsistant problems, most noticably > under Windows (sounds like any other computer so far! ;) ) The problem > has grown progressively worse, with symptoms showing up earlier and > earlier until machine can no longer always finish booting. Finally, > similar symptoms appeared on another system immediately after contact > with a diskette from the suspect system. (Okay, at this point it > sounds like a virus.) It MAY be a bootsector virus that randomly corrupts data. > NOW WHAT? > > I don't have time to sit down and try to reverse-engineer a virus; > besides, there are presumably folks who do that for a living. Is > there some standard "bait" file that I should try to infect? If I do > come up with an isolated copy of the virus, should I post it here? The solution is simple. Use TbSetup (or a product from another anti-virus vendor) and create checksum or reference files. Then wait until some executable files change. Collect these changed files and sent them (preferably PGP-encrypted) to one of the anti-virus guru's for examination. For us it is quite easy to tell whether a file is just damaged (by some incompatibility cause) or infected by a virus. I would also recommend in this case to send a diskette which has been in the 'infected' machine so that we can take a look at the bootsector. - -- Thunderbye, Frans Veldman <*** PGP public key available on request ***> Frans Veldman Phone (ESaSS) + 31 - 8894 22282 veldman@esass.iaf.nl Fax (ESaSS) + 31 - 8894 50899 2:282/222.0@fidonet Fax (VirLab) + 31 - 59 182 714 ------------------------------ Date: Thu, 23 Feb 95 20:58:14 -0500 From: XWWC29A@prodigy.com (MR HENRI J DELGER) Subject: Re: help I have a virus.. I think (PC) dalevy@sam.neosoft.com (David A Levy) writes: > Help me I have found a strange file on my hard drive that I cannot get > rid of. it is listed as: > JEN ON B 15227 1/26/95 a > when I try and change the attribute I get a message that the file cannot > be accesed. When I try and delete the file I get a message that the file > does not exist. I have used the latest version of wscan to no avail it > does not find a virus present. Am I missing something easy? > Please help me I don't know what to do next. Though that's an unusual situation, it's not necessarily indicative of a virus. To delete the file, you could try inputting a space into the file name. Hold down the ALT key and press numbers 2 5 5 on the NUMERIC keypad (not the number keys at the top of the keyboard!), then release the key. If that doesn't work, and you have DOS6, you can try the DELTREE command: DELTREE "JEN ON.B" If that doesn't work, you could use a disk editor, like Norton's to bypass DOS and access the disk directly. Henri Delger BBS: (617) 471-3455 ------------------------------ Date: Thu, 23 Feb 95 21:08:53 -0500 From: XWWC29A@prodigy.com (MR HENRI J DELGER) Subject: Re: Junkie (Junkey, Junky) Virus (PC) cdc@ccinet.ab.ca (Rob Chevalier) wrote: > Does anyone have information on the Junkey (a.k.a. Junkie, Junky) virus. > A confused source has informed me that this virus does one of the > following: > > a. Simulates a full hard disk, allowing no writes. > b. Simulates full RAM. I would assume this produces an Out of Memory > Error. I haven't heard of that, but here's some information for you: Junkie virus originated in Sweden, and is classified as "Multipartite," since it can infect the hard disk Master Boot Record, diskette boot sectors, and *.COM files. It can spread to an uninfected PC when a diskette, infected in another PC, is in the A> drive at boot-up, or when a *.COM file which was infected in another PC, is run. Junkie writes its code to the first sector of the hard disk, where the Master Boot/Partition data are stored. Unlike most such viruses, it does not save or relocate the original data. It also writes the rest of its code to (cylinder&head 0, sectors 4 and 5). Ordinarily, data are not lost from the hard disk, because the sectors which virus uses are not used by DOS. Some disks formatted in a non-standard manner may lose data, however. Junkie will be in memory after that whenever the PC is on, and infects floppy diskettes (not 360KB) by writing its code to the Boot sector (sector #0) of them. It also writes its code to the last track of infected diskettes, and unlike some viruses which do so, does not protect its code by arbitrarily marking the sectors as if they were "bad." Junkie can spread quickly, because it will infect diskettes on any access, even when just read, such as if the DIR command is used. In addition, it infects *.COM files as they are run or even if they're merely opened, such as during an anti-virus scanning process. It adds just over 1,000 bytes to infected *.COM files. Henri Delger BBS (617) 471-3455 ------------------------------ Date: Thu, 23 Feb 95 21:15:43 -0500 From: XWWC29A@prodigy.com (MR HENRI J DELGER) Subject: Re: FORM (PC) M.A.Jordan@iti.salford.ac.uk (MA JORDAN) writes: > A couple of questions about FORM... If it infects a non-system floppy > which is left in the drive at boot time and the computer attempts to boot > from it (and obviously fails) will the virus still have infected the > machine? I assume you mean that if the floppy, infected in one PC, is in a second PC, will the second PC become infected immediately? The answer is YES; the virus is one which will write to the hard disk even before the message "Non System Disk..." appears on the monitor screen. > Secondly, can it infect a clean machine by any other method other than an > infected disk being booted from? (eg disk reads) Definitely NO. The following may help you understand Boot viruses better: A Boot Sector Virus ("BSV") starts from an infected PC. It's in memory all the time, and writes part or all of its code to Sector #0, which all diskettes have, as disks are used in the drive(s). It makes no difference to the virus what is on the disk, or even whether the diskette is bootable, or not. The reason BSVs can infect non-bootable floppy disks, or those which contain only "data," is that all properly formatted diskettes contain an executable program in the boot sector, which outputs the familiar "Non-system disk" error message on-screen. Once the virus is on the diskette, if that diskette is later in the A> drive of another PC at power-up, or when re-booted with Ctrl-Alt-Del, the Boot sector is read, and the virus takes control of memory. Most will immediately infect the hard disk. Some do later, some not at all. If the diskette is not bootable, the boot process will halt, and you'll get the "Non-system disk" message, but the virus is in memory nevertheless, and will infect disks. This process takes advantage of those who swap disks among PCs and forget disks in A> overnight. Due to the way they spread, and the number of infected diskettes which can be produced on infected PCs, boot viruses are the most commonly reported type of virus problem. Although boot viruses make up only a small percentage of the total number of known viruses, they account for a disproportionate number of reported virus infections. Henri Delger BBS (617) 471-3455 ------------------------------ Date: Thu, 23 Feb 95 22:46:02 -0500 From: cwcbck@leonis.nus.sg (Mr. Alan Boon) Subject: Heard of Beijing virus?? (PC) Hi all, A few computers in our centre has been infected by this mysterious boot sector virus called Beijing Virus. Has anyone ever come across this? If so, what does it really do? No harm has been done so far. BTW, it can only be detected and cleaned using khscan but not scan 2.1.3 & 2.1.4 . Is this a plank or real seriuos situation? Pls help and respond via emial. Thanks for the info. Cheers, Alan - -- Centre For Wireless Communications. Tel : (65) 772 6850 Fax: (65) 779 5441 Email: cwcbck@leonis.nus.sg Smail: E2-05-02, 10 Kent Ridge Cres., S(0511) ------------------------------ Date: Thu, 23 Feb 95 22:48:57 -0500 From: samwick@sol.cms.uncwil.edu (Mark Samwick) Subject: Re: Fighting The Stealth C (PC) How does the Stealth-C differ from the Stealth-B? I have a client that got the Stealth-B virus on his system. McAfee Viruscan properly identifies it, but can't seem to get rid of it (version 2.14). Any ideas? ------------------------------ Date: Thu, 23 Feb 95 23:04:47 -0500 From: samwick@sol.cms.uncwil.edu (Mark Samwick) Subject: Need help fighting FLIP2 virus! (PC) When a client's machine would not load any programs into high memory, as it had done previously, I ran McAfee 2.14 on it. The Viruscan found 21 infected files, 20 with FLIP2 and 1 with something like LTTLB### (can't remember the 3 numbers right now). I ran SCAN with the /CLEAN option, then ran SCAN again. This time it found 115 cases of FLIP2, but the other one was gone. How does one kill FLIP2? Thanks in advance for any help! Mark Samwick, CNE J.D. Walsh Computer Consulting, Inc. Wilmington, NC ------------------------------ Date: Thu, 23 Feb 95 23:38:33 -0500 From: spicer@ibm.net Subject: RIPPER virus, Need Details (PC) We have seen 3 occurances of RIPPER lately. The VSUM summary doesn't have a listing or cross reference for it. Does anyone know anything about what it does? Are there good references other than the VSUM listing? We have seen lots of CANSU, FORM and RIPPER viruses lately! Thanks ... Steve Spicer ********** ------------------------------ Date: Fri, 24 Feb 95 02:54:33 -0500 From: mcafee@netcom.com (McAfee Associates) Subject: Yes Virginia, there is a ... (Was: Re: Do you believe in GENB? (PC)) Hello Mr. Hanson,, David Hanson writes: >How many people out there are getting tired >of seeing posting after posting that goes like >this: > >"Our site has been infected with the GENB (or GENP) >virus. How do we get rid of it?" > >Of course, the answer is to get a different scanner >and try for a more exact identification. However, the >average user is given no clue that this is the case. > >While it is difficult to admit the shortcomings of >their scanner, couldn't McAfee come up with a little >less misleading description of virus it can't completely >identify? Something like "UNKNOWN BOOT SECTOR VIRUS"? > >Ok, maybe it is commercial suicide to do this, I don't I can't see how it would be suicide, commercial or otherwise :-) >know. But to lead so many people to beleive that they >are infected with a virus called GENB is dodgy, if not >unethical. Users waste time trying to find a cure >for the dreaded GENB virus instead of seeking a better >identification. And we see posting after posting.... > >Or maybe I'm just having a bad day. What do you think? I think I'll log this in as an enhancement request. That doesn't, of course, mean that it will magically appear in the next release of VirusScan. But at least it will be logged in for the product and development managers to consider. > >Dave Hanson >Armed Forces Recreation Center Europe >Garmisch-Partenkirchen Germany >hansond@heidelberg-emh4.army.mil > Regards, Aryeh Goretsky - -- - - - - - - - Please send your reply, if any, to Aryeh@McAfee.COM - - - - - - McAfee Associates, Inc. | Voice (408) 988-3832 | INTERNET: support@mcafee.com 2710 Walsh Ave, Suite 200| FAX (408) 970-9727 | or ftp.mcafee.com Santa Clara, California | FaxBck(408) tba | or www.mcafee.com 95051-0963 | BBS (408) 988-4004 | CompuServe ID: 76702,1714 USA | USR HST Courier DS | or GO MCAFEE Support for McAfee anti-virus, network management and help desk software. ------------------------------ Date: Thu, 23 Feb 95 14:01:28 -0500 From: Mikko Hypponen Subject: F-PROT Gatekeeper Antivirus - free test phase in progress (PC) We are happy to announce that the free public test phase of our F-PROT Gatekeeper for Windows antivirus product has started today, the 22nd of February 1995. F-PROT Gatekeeper is an antivirus application that runs in the background of MS-Windows and checks memory, accessed programs and boot sectors with the award-winning F-PROT Secure Scan technology - finding even the toughest polymorphic viruses and the most cumbersome high-level language viruses as soon as they are about to enter the system. F-PROT Gatekeeper has been through three major revisions, all of which have been thoroughly tested by a closed beta tester group with more than 80 participants all over the world. We are confident that the technology we are using is highly compatible with any machine currently running Windows. However, in order to test Gatekeeper more widely in real-world situations and with as many different machines as possible and also to get more feedback and comments, we are now starting a public test phase - everybody is encouraged to participate and try out the product for free. To join in, retrieve a copy of the software from our FTP or WWW server. The archive contains more information and a time-limited copy of the software - the evaluation version will expire on the 1st of April, 1995. To get a test version of Gatekeeper via FTP: Ftp to ftp.datafellows.fi, login: ftp, password: your e-mail, retrieve file /pub/gatekeep/gk-eval.zip (in binary mode) To get a test version of Gatekeeper via WWW: Access page http://www.datafellows.fi/gk-eval.html with your WWW browser and choose the download link. Please send requests for more information and all your feedback by e-mail to address feedback@datafellows.fi. - -- Mikko Hermanni Hypp=F6nen // mikko.hypponen@datafellows.fi Data Fellows Ltd's F-PROT Professional Support: f-prot@datafellows.fi Computer virus information available via WWW: http://www.datafellows.fi ------------------------------ Date: Tue, 21 Feb 95 12:44:01 -0700 From: Chris McDonald Subject: Product Test Report PT-76, CryptoMactic (Macintosh) ****************************************************************************** PT-76 February 1995 ****************************************************************************** 1. Product Description: CryptoMactic is a program for the Macintosh which allows one to select any file or folder on a hard disk and encrypt it with one of several encryption algorithms. The program also provides capabilities for erasure or sanitization of media. This product test addresses version 1.01. 2. Product Acquisition: CryptoMactic is available from Kent Marsh Ltd., 3260 Sul Ross, Houston, TX 77098. The retail price for the program is $99.00, but the vendor as well as wholesale sources have listed the program for half that amount at various times. The telephone number for Kent Marsh is 713-522-LOCK. 3. Product Tester: Chris Mc Donald, Computer Systems Analyst, Directorate of Information Management, White Sands Missile Range, NM 88002-5506, DSN 258-7548, DDN cmcdonal@wsmr-emh34.army.mil. 4. Product Test: a. I obtained a copy of the program directly from the vendor during a promotional sale. I have conducted tests over a five month period on different Macintosh platforms running at least System 7.0. b. The installation procedure followed the User Guide instructions without any deviation. As with other Kent Marsh programs, documentation instructs one to make a backup copy of the program prior to installation. The installation procedure requires the user to simply select the name of the startup hard disk on which the program will be installed. When the program has completed installation, the user must then restart the Macintosh. c. The installation procedure does require that one temporarily disable any virus protection software already installed. If one scans the installation disk prior to the procedure, this should not present a problem. It will be necessary in certain cases, however, to readjust one's anti- viral program parameters after installation. For example, I found that upon reactivation of Gatekeeper it alarmed on the CryptoMactic's extension loading on startup. d. One can begin encryption/decryption operations immediately. The installation program places a "diamond" as a menu item selection on the main Apple menu to the right of the Special menu selection. One chooses the file or folder to encrypt, and then selects Encrypt from the menu. One receives a window in which to enter the code key to be used for the encryption operation and an additional pop-up menu to select the encryption algorithm to be used. Once you have entered a code key, the program will prompt you to verify it. As the program encrypts the source file or folder, CryptoMactic erases the original file. e. Decryption of a file or folder proceeds in the opposite direction of encryption with the exception that upon selecting Decrypt from the menu one only has to enter the code key once to complete the operation. If one forgets the code key, it may still be possible to decrypt a file or folder with the CryptoMactic Administrator "override" capability. The documentation states that, since each copy of CryptoMactic has its own "internal signature", the Administrator override capability can only be used to unlock files or folders encrypted with that copy. Therefore, obtaining a single copy of the CryptoMactic Administrator should not endanger the protection afforded by CryptoMactic in general. f. I completed over 50 different encryption/decryption operations of files and folders of varying sizes. In all cases the operations were flawless and performed as documented. I attempted to utilize several disk editors to determine if code keys were present. I was not successful in finding any keys within the encrypted material. g. The program offers five different encryption modules: (1) LightningCrypt - a proprietary encryption algorithm developed by Kent Marsh. (2) QuickCrypt - a proprietary encryption algorithm developed by Kent Marsh derived from the Data Encryption Standard (DES) algorithm. (3) DES - Data Encryption Standard algorithm described in Federal Information Processing Standard 46-2. (4) DES-CBC - The cipher-block chaining implementation of DES. (5) Triple DES The speed of operations decreases from (1) to (5) with LightningCrypt the fastest and Triple DES the slowest. On the other hand, the inherent security of each module increases in the same order. The documentation, for example, describes Triple DES "as mathematically twice as secure as DES". I verified the speed of operations. I would refer the reader to several articles and a book by Bruce Schneier on the cryptographic strength of each module entitled "Protect Your Macintosh", ISBN 0-56609-101-2. h. CryptoMactic allows one to configure a number of preferences from the "diamond" menu. I verified the functionality and operational character- istics of these: (1) Encryption type - the selection of the encryption algorithm (2) Erase pattern - the selection of a pattern of ones, zeroes, and final values to sanitize media (3) Secure (unrecoverable) erase - the selection when erasing files from the desktop to preclude recovery 2 (4) Code keys are case-sensitive - the selection to make "A" distinct from "a" (5) Minimum code key length - the selection to prompt for a standard length code key (6) Confirm code keys - the selection to require verification of a code key (7) Display/Hide/Display code key as "*" - the selection to determine how a code key is displayed (8) Show icon at startup - the selection to have the CryptoMactic icon appear at the bottom of the Macintosh screen (9) Display menu in Finder - the selection to insert the "diamond" menu (10) Display progress bar - the selection to have a thermometer-style box indicate the progress of encryption/decryption (11) Show animation - the selection to have an additional animated sequence in the progress bar during encryption/decryption (12) Allow use over network - the selection to permit encryption/ decryption and erasure operations on network volumes (13) Skip applications - the selection to have CryptoMactic ignore application files when encrypting a group of files or an entire folder (14) Make self-decrypting - the selection to have an encrypted file turn into an application which will automatically decrypt itself when an user double-clicks on the file and enters the correct code key (15) Allow override - the selection to permit the CryptoMactic Administrator to decrypt a file or folder without use of the code key i. The "allow override" preference depends upon the CryptoMactic Administrator application. This application is not part of the initial program installation. One can choose to install it by opening the CryptoMactic Administrator folder on the installation disk and dragging the CryptoMactic Administrator file to any folder on the hard disk. I installed the application and successfully overrode several encrypted files with override permitted. I attempted unsuccessfully to override files with override disabled. CryptoMactic Administrator can be password protected. I tested this option which functioned as documented. I also used CryptoMactic Administrator to set preferences as described in paragraph 4h above. Under the application one can set preferences which a standard user cannot change. I verified the functionality of this option, but made no serious attempt to circumvent it. I did observe that, when I attempted to 3 change a preference as a standard user, the program presented a warning message that this was against my authorization. However, I did receive visual confirmation as to the specific preferences which I as the Administrator had established. There may be instances where an Administrator would not want a standard user to know all the preference settings. j. CryptoMactic provides a variety of erasure or sanitization routines to meet most user requirements. One has options to sanitize either a file, or unused/free space on a disk, or an entire disk. One has various erasure patterns to select. I tested all of the options with various erasure patterns selected. All operations performed as documented. I was unable to retrieve any information sanitized utilizing several disk editors and recovery tools. 5. Product Advantages: a. CryptoMactic appears to perform as advertised in providing encryption and sanitization capabilities. b. The program, given its many options and preferences, is reasonably priced. c. Although several programs provide self-decrypting applications, CryptoMactic offers more secure encryption algorithms. d. The program is easy to use for the individual user. 6. Product Disadvantages: a. Government users will require a waiver under FIPS 46-2 to protect unclassified sensitive information using the product's software DES implementation. Such users may also require additional information on the erasure/sanitization routine for applications involving classified national defense information. b. If one does not choose the "allow override" preference, then information may be lost if a user forgets a key. c. Key management in a large enterprise may present problems in the absence of sufficient personnel resources to implement centralized key administration as well as centralized installation procedures. 7. Comments: Kent Marsh has a sound reputation for its family of Macintosh security products. CryptoMactic continues that reputation. [The opinions expressed in this evaluation are those of the author, and should not be taken as representing official Department of Army positions or a commercial endorsement.] ------------------------------ Date: Fri, 24 Feb 95 08:20:31 -0500 From: Charlie_Rutstein@notes.pw.com Subject: NCSA Security Conference Following is an announcement for a technical symposium in April. For more details and registration information, you may send a request to NCSA, 74774.1326@compuserve.com" ============================================================ SECURITY ON THE I-WAY NCSAs 1995 Technical Symposium April 10-11, 1995 Stouffer Concourse Hotel Arlington, VA NCSA is pleased to announce Security on the I-WAY '95, a technical symposium addressing two key security issues: Internet/NII Security and Computer Viruses. Our speakers this year include many of the worlds leading experts in these two key areas. To register for the conference, complete the registration form at the end of this file. CONFERENCE PROGRAM: April 10/Monday: 08:30 Keynote Address NCSA: New Directions Dr. Peter Tippett, President, NCSA TRACK 1: Computer Viruses Track Chairman: Charles Rutstein April 10/Monday: 09:00 Real World Anti-Virus Review and Evaluation Richard Ford, Editor, Virus Bulletin Sarah Gordon, Command Software 10:30 Virus Metrics Joe Wells, IBM Watson Research Center 13:00 Viruses and the Internet Fridrik Skulason, FRISK Software 14:30 Virus Writing: High-tech InfoSecurity Warfare Frans Veldman, ESaSS April 11/Tuesday: 09:00 Viruses in the 32-bit Operating Environment Shane Coursen, Symantec 10:30 Viruses and Windows NT Charles Rutstein, Price Waterhouse 13:00 The Good, the Bad and the Polymorphic Alan Solomon, S&S International TRACK 2: Internet/Infrastructure Security Track Chairman: Ted Phillips April 10/Monday: 09:00 The Electronic Intrusion Risks to the NII Ted Phillips, Booz-Allen Hamilton 10:30 Public Key Infrastructure Issues Warwick Ford, Bell Northern Research 13:00 Internet Security Strategies Jim Litchko, TIS 14:30 Security Applications for Smartcard Technologies Jim Dray, NIST April 11/Tuesday: 09:00 Wireless System Security Robert McKosky, GTE Laboratories 10:30 Broadband Network Security Issues John Kimmins, Bellcore 13:00 NII Network Reliability Issues Mel Sobotka, Booz-Allen Hamilton 14:30 Law Enforcement Perspectives on NII Security Hal Hendershot, FBI ============================================= Conference Events: Lunch both days Cocktail reception Monday night Exhibit Hall: Exhibit hall will be open from 9:30 - 4:30 both days. Exhibit hall admission is free. Hotel Information: Stouffer Concourse Hotel (Crystal City) 2399 Jefferson Davis Highway Arlington, VA 22202 703-418-6800 ============================================== Conference Fees: $325.00 - NCSA Members $395.00 - All others ============================================== Registration Form: Name: __________________________________________________ Title: __________________________________________________ Org: __________________________________________________ Address: __________________________________________________ Address: __________________________________________________ City: __________________________________________________ State: _____________________________ Zip: _____________ Phone: _____________________ Fax: _____________________ Enclosed: ( ) $325.00 ( ) $395.00 Make checks payable to NCSA, or Charge to: ( ) VISA ( ) MasterCard AMEX ( ) Number: ___________________________________________ Exp date: ___________________________ Signature: ___________________________________________ ( ) I'M INTERESTED, but would like more information sent to the address above. Please include a free copy of your 32 page "Information Security Resource Catalog". ( ) I'd like to know more about NCSA on-site training, security audits and consulting services. Please have someone give me a call. MAIL OR FAX TO: National Computer Security Association 10 South Courthouse Avenue Carlisle, PA 17013 Phone 717-258-1816 or FAX 717-243-8642 EMAIL: 74774.1326@compuserve.com CompuServe: GO NCSAFORUM ------------------------------ End of VIRUS-L Digest [Volume 8 Issue 19] *****************************************