VIRUS-L Digest Thursday, 23 Mar 1995 Volume 8 : Issue 27 Today's Topics: Re: Trojan Horses re: digital vs biological viruses Book Recommendation Request virus requests Re: UNIX viruses & printers (UNIX) Re:Does UNIX Virus Protection Exist? (UNIX) Wanted - info on Whisper and Tai Pan (PC) Re: New directories-virus? (PC) Re: Best AV software for LAN? (PC) RE: Heard of Beijing virus?? (PC) need newest version of good virus scanner software (PC) Non detectable viruses (PC) Yellow vs. White text in F-PROT virus list (PC) Need info on ANTIEXE/NEWBUG (PC) ASK message (PC) Re: Piggybacking and memory scanning (PC) [Q] Several questions re: downloaded S/W (PC) McAfee doesn't get rid of JOSHI virus !!! (PC) Re: Access control and antivirus (PC) Re: Boot sector virus remains undetectable? (PC) Invircible once daily not working (PC) [HELP] _1496 virus (PC) Re: Virus that screws up WFWG 32-bit disk access? (PC) Re: ATTN: McAfee doesn't find ANTIEXE (PC) Memory Resident Viruses and WinNT/Win95/OS/2 Warp (PC) Re: McAffee 214 (PC) Re: .DLL files are disappearing. Have I got a virus? (PC) Re: Stealth_C Virus (PC) SMEG based virus or not ? (PC) Re: Disinfecting ANTIEXE virus (PC) Gatekeeper (PC) Re: Disinfecting ANTIEXE virus (PC) Re: Disinfecting ANTIEXE virus (PC) Re: Fdisk /mbr??? (PC) PC SAFE Anti Virus Hardware (PC) Cinderella Virus (PC) HELP: Slow Virus (PC) windows specific virus? (PC) Re: Access control and antivirus (PC) My computer [DX266] now acts like a 386/16? (PC) Re: Fdisk /mbr??? (PC) Re: McAffee 214 (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CORSA.UCR.EDU (IP number 138.23.166.133) or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CORSA.UCR.EDU. Administrative mail (e.g., comments, suggestions, beer recipes) should be sent to me at: krvw@ASSIST.MIL. All submissions should be sent to: VIRUS-L@Lehigh.edu. Ken van Wyk ---------------------------------------------------------------------- Date: Tue, 14 Mar 95 19:20:33 -0500 From: jadestar@netcom.com (JaDe) Subject: Re: Trojan Horses In days of yore (1 Mar 1995 18:10:09 -0000) Kari Cadwallader (cadwall@husc.harvard.edu) bespake: ::I'm looking for any and all information in trojan horses. I have found a ::wealth of information on viruses but I am only looking for a specific ::type "TROJAN HORSE". If anyone has a URL or ftp site that might help me ::please advise. ::Thanks A "Trojan Horse" is not a "type" of virus. It refers to any program that purports to do one thing -- and surrepticiously doesn't another. The essential element of a virus is propagation -- virii "infect" (diskettes, systems, memory, files -- or some combination of these). The essential element of a trojan horse is deception. While virii usually also involve deception and surrepticious activity they do not usually involve a specific program that makes specific claims of functionality. Virii modify existing, functional, programs (sometimes rendering them non-functional for their original purpose and generally adding the function of of further propagating the virus -- possibly also adding other functions -- payloads). A trojan horse can also be said to have a payload (the covert functions). The payload of a trojan horse may be to deliver a virus laden file or to patch a virus into some program. This particular type of trojan is called a "dropper." It is also on of the few ways that a boot sector virus can infect a system via modem. However these are different terms. Although they share some common terminology and can have similar symptoms -- they aren't the same. While we're on the topic there are also "logic bombs." These are neither "virii" nor "trojan horses." A logic bomb is an intentional function within a program that delivers some (undesirable) effect when some condition is met. Not that this is an intentionally included function -- but is generally not part of the "official" specification of the program. It is surrepticious (like the trojan horse) but the whole of the program behaves as it claims. It is not a "bug" (those are unintentional). Logic bombs can exist in trojan horses, in virii and in perfectly normal software. A program that validates itself and deletes a series of related data files after an "expiration" date (true of the occasional demo, non-ASP compliant shareware, and/or vertical market application or custom program) might have such a logic bomb. A virus that watchs the breakpoint vector in the interupt table and hangs or reboots the system when it's modified could be said to have an anti-detection logic bomb. (the breakpoint vector is normally only modified by debuggers and diagnostics software). Please note that I'm not an authority on the subject (despite my tone -- I don't have such delusions). These are my opinions based on the usage that I've seen for these terms over the last 15 years. All of these terms pre-date the introduction of the PC. They will probably outlive the PC as well. - -- //////////////////////////////////////////////////////////////////////////// JaDeStar Linux: an OS with a CLUE (Command Line User Environment) ------------------------------ Date: Thu, 16 Mar 95 09:34:00 -0500 From: "David M. Chess" Subject: re: digital vs biological viruses > From: hanson@cs.uiowa.edu (Rolf Hanson) > has there been any research done in the area of comparing > computer viruses to biological ones? There are lots of analogies that one can draw between bioviruses and computer viruses. You can make analogies at various levels (cell:computer :: body:company, or cell:program :: body::computer, and so on), you can take different parts of the bio-immune system (invertebrates have a rather different system than mammals, for instance), and so on. Take a look, for instance, at the paper "A Biologically Inspired Immune System for Computers", available at "gopher://index.almaden.ibm.com/1virus/menus/virpap.70". > or using computers to simulate the reproduction and evolution of > biological viruses? I'd suggest asking in sci.med.immunology. I know there are various computer models of the immune system under development; I don't know if the people doing it are publishing on the Net, though... - - -- - David M. Chess | "Hello! High Integrity Computing Lab | Welcome to the show! IBM Watson Research | What's your name?" ------------------------------ Date: Fri, 17 Mar 95 08:45:18 -0500 From: baileyrl@netcom.com (Bob Bailey) Subject: Book Recommendation Request I have been asked to recommend some books for a technical library used by software consultants. One of the subjects I would like to include is computer viruses. I have recently read Dr. Cohen's book, "A Short Course on Computer Viruses" and will include that in my recommendations. Con anyone recommend additional books on computer viruses? Please send E-Mail to me at baileyrl@netcom.com. Thanks, Bob Bailey ------------------------------ Date: Thu, 16 Mar 95 04:45:59 -0500 From: bill.lambdin@woodybbs.com (Bill Lambdin) Subject: virus requests You may or may not believe the number of requests that I have received from users wanting viruses. I only send specimens to A-V developers and A-V Researchers that I know and trust. I will not give a virus to anyone that I do not know and trust unless an A-V developer or A-V researcher that I trust will vouch for them. If other A-V reseachers or A-V developers know and trust you. Ask them for a specimen because you will not get a specimen from me. Bill Lambdin Bill 9CCD47F3C765CA33 bill.lambdin@woodybbs.com C77D698B260CF808 <-PGP fingerprint codes - --- * CMPQwk 1.4 #1255 * AH activates any Tuesday ------------------------------ Date: Tue, 14 Mar 95 20:19:22 -0500 From: jadestar@netcom.com (JaDe) Subject: Re: UNIX viruses & printers (UNIX) In days of yore (1 Mar 1995 18:14:20 -0000) Dana Lone Hill (dlonehi@cp.mnet.uswest.com) bespake: :: I'm new to computer viruses and I would like to know if there ::are viruses that attack UNIX based computers. if anyone can give me ::any information I sure would appreciate it. :: Also, is it possible for a viruse or worm to hide in the RAM ::memory of a printer if that printer is on 24hrs. a day? Again thanks ::for your help. This has been a matter of some debate. So far as I know there has never been an widespread attack on Unix systems that has been properly categorized as a "virus." There are a wide variety of worms, logic bombs, spoofs, trojan horses, and exploited security weaknesses that have hit a variety of Unix systems. There are a couple of things that make Unix resistant to the types of virii that are seen under DOS and on Macs and other single-user, unsecured microcomputer OS' The first (and probably foremost) is that Unix has been implemented on the widest variety of architectures and platforms (no other OS has come close in hardware/processor diversity). A virus is either machine/processor specific or would have to be implemented in a sufficiently high-level language (or scripting facility) to be portable across platforms. If one were to write a shell script that exhibited the propagation characteristics of a virus -- you'd probably see an incredible argument over how it should be classified. I won't address that. There are other issues that make a "shell-script" (batch file) virus implausible. The second item that discourages the creation of virii for the a *nix platform is that the system is multi-user and implements a security system as a standard part of the OS. Although there are numerous wholes in a typical Unix system (mostly having to do with programs that run at a higher privilege level that the user that's executed them -- and have bugs which can be exploited to allow the user to "break into a shell" or "spoof a file" etc). Despite the many concerns regarding security holes -- the very existence of the security system, and even the nodding awareness of security on the part of *nix SysAdm's makes Unix virii a much more complicated issue than just "find an executable and link a copy of my code into it" or "find the boot record, move it, copy in a copy of my code" (these are the two predominant techniques employed by PC virii). The potential virus has to somehow coax the root user to run it (most Unix system operators only occasionally log in as "root" and then only to use a small set of utilities). The security system in Unix does much more than just validate that a given user has access to a given file. It insulates each of the processes in memory from one another and from direct access to most of the hardware (particular the hard drives and storage subsystems). Thus I can't write a program to modify the operation of another one of my programs (in memory) even if I want to (unless I were to set up the recieving program to co-operate in the affair). (I've oversimplifying since I know there's debuggers for Unix but I digress). Combine these with the fact that a typical Unix box goes for months at a time without rebooting (most of the real world infections are from boot sector virii -- in the PC world). Non-PC Unix' often don't have anything like an A: drive (a floppy drive which is checked automatically at boot). As I understand it (no experience just hearsay) to boot a Sun if your hard disk is damaged or your kernel or boot files are toast you restart the machine, press a keystroke combination (that essentially gets you into something like the CMOS Setup program on a PC) and you're put into an FCODE monitor -- which is a diagnostics environment in ROM -- similar to the forth programming language. Using this you can perform tests on your SCSI hosts, and devices, and manually get the system to "boot" from a tape, CD-ROM or other SCSI medium. Regarding your question about virii "hiding" in a printer's buffer. This is very similar to the recurring question about virii hiding in CMOS "memory." The printer's buffer (assuming standard PC an related architectures) is not in the address space of the CPU. This means that any viral code could not be execute while it was there. If a virus were to copy itself out to a printer (and somehow get the printer to store this without printing it -- say be defining it as an additional font) then the copy wouldn't be "code" -- it would just be "data." Basically the virus would have to copy the "data" back into RAM (somewhere into the CPU address space) before any of it could be executed. To perform this copy the virus would have to be hooked into something else . . . something that was an active part of the execution path for the infected machine. An important concept in computer virus theory is that of "hooks" into the execution path. It's possible for me to put inert copies of a virus all over my system (in bad sectors, CMOS registers, ROM chips, video RAM, printer buffers, wereever. These will be inert unless they are "hooked" or "linked" into some component of the machine that normally executes (the "execution path" -- which is not to be confused with your DOS PATH). The normal execution path of a PC goes something like this: CPU -- processor self check (code internal to the processor chip). ROM BIOS initialization -- (processor is designed to jump to a specific location near the end of the real mode address space -- all x86 processor to date start in real mode) This ROM initialization code typically does things like a CRC of the ROM (self-check), and some diagnostics of certain peripheral chips on the motherboard (DMA controller, interval timer, interrupt controller (PIT and PIC respetively). The ROM also does a check of at least the first 4K of RAM (to insure that the interrupt vector table is usable) and (usually elsewhere in the process) checks the rest of RAM. Some of the values in the vector table are initialized. Values are read (via I/O ports) from the CMOS and extended CMOS registers. Some values are placed in the BIOS DATA AREA (just after the IVT). At some point (I don't have a reference handy so I can't nail down the specific sequence -- these things follow a logical but in some cases implementation specific sequence) the ROM does ROM bootstrap search (for other devices that have ROM's). This search extends through the reserved address space (I think it goes from C000 to EF00 but it could go from A000 on up). When a certain signature is found (55AA hex) (might need to be on a 4K or 16K address boundary) then the ROM BIOS expects to read a jump location and do a long far CALL (assembly language term) to that ROM extension. This ROM extension might be the boot PROM on a network card, or it might be the ROM controller for a SCSI host adapter or ESDI or EIDE disk controller. It could be a ROMDisk, or even a hardware anti-virus product. The ROM extension's initialization routine would typically hook some interrupts in the vector table (a NIC PROM usually hooks Int 18h while the SCSI host ROM usually hooks Int 13h the reasons for this become apparent later). At some point all of the ROM extensions have been initialized. Each has had it's chance to "hook" into certain events (interrupts) so that it will get the first crack at handling those. (as a quirk, note that the ROM's with the higher address -- other than the main BIOS have the last say in this) Now the ROM BIOS calls routines in INT 13h to check for bootable floppies, and hard disks. On a floppy there is a boot record (this is true of DOS and all other PC OS' -- though they differ from one OS or DOS version to another) On a hard disk there is an MBR which reads and decodes the partition table (the MBR is a single sector with a code section and the partition table both located in it). The code from the MBR looks for the active partition then reads a boot record (like the floppy's) and executes the code partion of that (this is a sector that is comprised of a BIOS Parameter Block and some start-up code). Finally the LBR (logical boot record) looks for the OS kernel (IO.SYS or IBMIO.SYS or MSIO.SYS depending on the DOS vintage). This and the MSDOS.SYS (or IBMDOS.SYS, etc) figure out enough about the directory structure and file system to open the CONFIG.SYS and execute each of the directives therein. This includes loading DEVICE= (and INSTALL= for DOS 4.x +). Finally a SHELL= (or the default COMMAND.COM) is loaded. The rest of the execution path is basically familiar to all DOS users. Note that large parts of this exist in data structures that are outside of the DOS file system. This is why boot sector virii can affect OS/2 and PC *nix systems. They might not be able to propagate from there -- but they are hooked into the execution path and can deliver their payload. A few unlucky Unix, NextStep, NT, and OS/2 users every year find this out every March 6th -- if they happen to reboot on that day. Please note that there are probably some errors in this (I typed it completely ad hoc from memory -- and it's based on many different things I've read). I've just tried to convey the idea to make the important point. There are a finite number of locations in this operational path. A virus most modify something along this path in order to infect. Just getting a copy of the code stashed somewhere on the system is not enough -- it's just "data" until it's called by something (the BIOS, the MBR's code, the BR's code, the kernel, the shell, or something run by the user). - -- //////////////////////////////////////////////////////////////////////////// JaDeStar Linux: an OS with a CLUE (Command Line User Environment) ------------------------------ Date: Wed, 15 Mar 95 07:57:04 -0500 From: Klaus Brunnstein Subject: Re:Does UNIX Virus Protection Exist? (UNIX) Contrary to some beliefs reported in recent Virus-L editions, its pretty simple to write and install UNIX virii! Apart from Fred Cohens original viruses which were tested on UNIX, there have been several publications of UNIX virii (not only Tom Duffs). Transfer is not as easy as in PCs where a given virus may be installed on different versions of MSDOS, as there are differences in the structure of UNIX programs on different platforms. But with some knowledge of the program structure of a given UNIX version, viruses may be easily adapted to infect related executables. In two diploma theses, students here at VTC have tested the efficiency of in- fection mechanisms on a normal as well as on a "secure" (B2) UNIX AT&T System V version; as viruses attack integrity rather than confidentiality (which is measured in Orange Books criteria), we were not surprised that the UNIX viruses easily infected also files in the B2 system. Most of our test viruses were detected by normal integrity checkers; it was not the goal of such work to produce stealth viruses or viruses undergoing integrity mechanisms so we didnot aim at testing limitations of contemporary methods. Summarizing our experiences, its *not* difficult to write UNIX viruses. Virus distribution via program exchange would also work. Though about 10 UNIX viruses are known, they are not distributed mainly due to phsychological reasons. UNIX freaks seem to love their systems so much that they do not intend to destroy their work base; moreover, such freaks are so UNinterested in security (other- wise, they would not use unsecure UNIX!) that they dont think about its evident shortcomings! (Such reasons also apply to MAC freaks though their platform is much more user friendly than UNIX :-) Regards Klaus Brunnstein (March 15,1995) - ----------------------------------------------------------------------------- PostAdress: Prof.Dr. Klaus Brunnstein University of Hamburg (also: Virus Test Center, VTC) Faculty for Informatics Vogt-Koelln-Str. 30 D 22527 Hamburg-Stellingen Tel: (+49) (40) 54 715 - 406 Brunnstein (+49) (40) 54 715 - 405 Mrs.Leuschner (secr) Fax: (+49) (40) 54 715 - 226 EMail: Brunnstein@RZ.Informatik.Uni-Hamburg.d400.de ------------------------------ Date: Wed, 15 Mar 95 05:47:19 -0500 From: a94robry@ida.his.se (Robert Ryberg) Subject: Wanted - info on Whisper and Tai Pan (PC) could someone please email me any info on the Whisper and/or Whisper-Tai Pan virus (virii?). I recently encounter both on my system. I noticed that McAffee can clean the Whister-Tai Pan virus but not the Whisper virus. Any and all info would be appreciated. Alan Olson oh.. okay, whisper is called tai-pan. it is (the first version) 438 bytes long. it will infect exe programs which are less than (about) 64800 bytes (dont remember the figure really, but a bit less than 65535-438.. . . ). it has no stealth, and no encryption routines included. it doesnt harm the computer or so.. might hang? i dunno. . . it contain the text 'whisper presenterar tai-pan' presenterar is swedish and mean (you guessed it.. ) 'presents'. the memory will be decreased with 496 bytes i think, but it isnt visible with a mem /c. to my knowledge, it is two version of taipan out. one described above, and one which are 666 bytes. the latter contain some other text and managed to spread into nthe night owl 15 cd. . . . its a miracle that a virus like taipan can spread. . . shows the great arrogance of users.. i mean, tbscan detected like 7 or so flags even before it was released. . avp probably detected it as well, and perhaps even f-prots heuristics? but users are too damn proud of their scan from mcafee, so i guess a virus like this with no amazing replicating or stealthiness can spread out anyhow.. . ------------------------------ Date: Wed, 15 Mar 95 06:03:31 -0500 From: seans@efn.org (Sean Shanahan) Subject: Re: New directories-virus? (PC) ThYmEz@ix.netcom.com (Asher Delug) writes: >Everytime i boot up i get New directories. For Example this morning when >i booted up i got 2 new directories-Agemopola and Thyxix. I've scanned >with McAffee 2.15 for windows, Central Point anti-virus, ThunderByte, >and MS anti-virus. I'm sure this is a virus...what should i do?????? It may be, but I had a similar problem, and it turned out to be my HD was driving its last. Do you use disk compression? And do you use DOS 6.0? There has been problems reported (amd experienced by yours truly) with that combination, especially if you use Doublespace. If you start seeing weird files, like A~~00.IIOUY, or something bizarre, that would indicate the same thing. At least that's what happened to me. I bought a new HD, (my old one was too small anyways), and the problem disappeared. (I transfered the data from my old disk to the new one, and repeated scanning with f-prot, mcaffe, and MSAV (I know it sucks...but I figured what the heck, it's right there..) has showed no infection. Just thought you may want to get an opinion. - -- <<<<<<<<<<<<<<<<<<<><>>>>>>>>>>>>>>>>>><>>>>>>>>>>>>>><>>>>>>>>>>>>>>> $ One man gathers what * seans@efn.org * You just can't polish $ # another man spills * seans@fish.share.net* a turd.....Beavis # <<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>><<<<<<<<<<<<<<>>>>>>>>>>>>>>><<< ------------------------------ Date: Wed, 15 Mar 95 07:19:17 -0500 From: gcluley@sands.co.uk Subject: Re: Best AV software for LAN? (PC) Doug Burnett writes: >What is the most widely used AV software on LAN. I'm new to the subject >and trying to figure out who the big players in LAN AV are. Cheyenne? >Intel? Who are the others? It all rather depends on what you want from your anti-virus software. Something that's easy to install? Something that's easy to use? Something that finds viruses? Something that will protect workstations even when they're not connected to the network? Technical support? InfoWorld Magazine have just done a comparative review of NetWare anti-virus products (February 95). They tested Central Point, Norton, Cheyenne InocuLAN, Intel LANDesk, and Dr Solomon's. Dr Solomon's was described thus "Without a doubt the best product we tested in terms of accurately detecting a virus". They did have some criticsms, however, of the installation and usability of the version of Dr Solomon's for Netware they evaluated (ver 6.69). These have been addressed by the latest version of the Dr Solomon's NetWare package (version 7.00) and I understand the guys at InfoWorld Magazine are a lot happier with that aspect of things, and they will be doing another review in the coming months. Dr Solomon's was described as "the absolute best virus detection available". If that's an important criteria for you you might like to consider contacting our offices in the States. Other worthwhile recent independent reviews are those conducted by Virus Bulletin and Vesselin Bontchev (VB and VB!) at the University of Hamburg. However, these are evaluations of DOS anti-virus packages, and not all anti-virus packages seem to use the same virus-scanning engine across all platforms (ie. their DOS product may detect more viruses than their NetWare product). I can provide you with copies of the Virus Bulletin comparative review if you wish. Regards Graham - --- Graham Cluley [gcluley@sands.co.uk] Senior Technology Consultant, S&S International PLC, Alton House, Dr Solomon's Anti-Virus Toolkit Gatehouse Way, Aylesbury, Bucks, UK S&S International PLC +44 (0)1296 318700 ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, In the States contact: S&S Software International, Inc, 27660 Marguerite Parkway #C-250, Mission Viejo, CA 92692, USA Tel: 714 470 0048 Fax: 714 470 0018 [72714.2252@compuserve.com] ------------------------------ Date: Wed, 15 Mar 95 08:04:50 -0500 From: gcluley@sands.co.uk Subject: RE: Heard of Beijing virus?? (PC) Mr. Alan Boon writes: > A few computers in our centre has been infected by this mysterious > boot sector virus called Beijing Virus. Has anyone ever come across > this? If so, what does it really do? No harm has been done so far. Beijing infects the boot sector of floppy disks and the partition sector of hard disks. If the PC is booted from an infected floppy disk, the virus goes memory resident and infects the partition sector of the hard disk. The virus infects any floppy disk which is accessed. The virus does NOT store a copy of the original, clean partition sector elsewhere on the disk. It stores additional virus code on Cylinder 0, Head 0, Sector 4 on the hard disk and in one of the root directory sectors on floppy disks; the text Welcome to BUPT 9146, Beijing! can be found in this sector. Regards Graham - --- Graham Cluley [gcluley@sands.co.uk] Senior Technology Consultant, S&S International PLC, Alton House, Dr Solomon's Anti-Virus Toolkit Gatehouse Way, Aylesbury, Bucks, UK S&S International PLC +44 (0)1296 318700 ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, In the States contact: S&S Software International, Inc, 27660 Marguerite Parkway #C-250, Mission Viejo, CA 92692, USA Tel: 714 470 0048 Fax: 714 470 0018 [72714.2252@compuserve.com] ------------------------------ Date: Wed, 15 Mar 95 11:35:56 -0500 From: heller@ifr.ing.tu-bs.de (Marcus Heller) Subject: need newest version of good virus scanner software (PC) Hi all, I am looking for 'ftp' viruses detectors for MSDOS. Please can you help me and give me a hint where can (or how can) I get the newest version of good virus scan software such as McAfee? Thank you very much, Marcus ========================================== ====== ===== from : M.Heller // // // // email : heller@ifr.ing.tu-bs.de // //=== //==== // // //\\ Institute for Control Engineering // // // \\ TU Brunswick -------------------------- ------------------------------ Date: Wed, 15 Mar 95 12:46:52 -0500 From: rivera@oasys.dt.navy.mil (Rafael Rivera) Subject: Non detectable viruses (PC) Is their a virus that is not detectable by the latest McFee Vscan/Vshield virus scaners? ------------------------------ Date: Wed, 15 Mar 95 12:48:14 -0500 From: kuchan@quark.cig.mot.com (Joseph M. Kuchan) Subject: Yellow vs. White text in F-PROT virus list (PC) I've been using F-Prot for some time now, but have never understood the significance of a virus' name being in white text or yellow text in the virus information screen. What IS the significance? Thanks! - -Joe - -- ******************************************************************** Joseph M. Kuchan, Cellular Infrastructure Group, Motorola, Inc. 1475 W. Shure Drive, Arlington Heights, IL 60004 tel: (708) 632-6298 fax: (708) 435-9017 email: kuchan@cig.mot.com ------------------------------ Date: Wed, 15 Mar 95 13:53:09 -0500 From: Bob Thorsen Subject: Need info on ANTIEXE/NEWBUG (PC) One of our users has a disk that she bought home. Husband's system (with MacAfee) said the disk was infected with ANTIEXE. Our CPAV found nothing. Newer signatures for CPAV found a virus it called NEWBUG. CPAV's data base says NEWBUG only infects diskette boot sectors. I can't find reference to either virus in VSUM. FAQ indicated that I wouldn't have much better luck in other catalogs. Information on this virus (or these viruses) or pointers to other sources of information would be greatly appreciated. ============================================================================ Bob Thorsen |Unless expressly stated in the text of the House Information Systems |article, the opinions expressed here do not U. S. House of Representatives|represent the official position of any rthorsen@hr.house.gov |entity of the U. S. House of Representatives. ============================================================================ ------------------------------ Date: Wed, 15 Mar 95 13:53:06 -0500 From: iandoug@aztec.co.za (Ian Douglas) Subject: ASK message (PC) Hi All Does this message, which appears on program exit, ring a bell anywhere? ART (Y/N)? If you type Y, you get some random ascii junk. It also causes 4DOS .bat or .btm files to go haywire - it prompts you whether you it should execute a particular line or not. Or is this a bug in 4DOS v5.5? Thanks and Cheers, Ian ------------------------------ Date: Wed, 15 Mar 95 18:14:53 -0500 From: EMD Enterprises Subject: Re: Piggybacking and memory scanning (PC) Iolo Davidson (iolo@mist.demon.co.uk) wrote: - ---------snip------------- RC>> Generic products such as InVircible do not require continuous RC>> updating to address each new virus released. ID> According to Dr. Keith Jackson, it does not address half the ID> viruses already released. I have seen the above claim before, ID> but such products do not succeed in replacing the ones you ID> deride. To me, that says that they simply don't do the job. As the manufacturer of a hardware based generic anti-virus product (EMD Armor Plus), I have to strongly object to this statement. Statements like "they simply don't do the job" from somebody like Mr. Davidson, who is the Technical Editor of a supposedly respected Anti-Virus publication, Secure Computing, betrays lack of an open mind. - ---------snip-------------- RC>> This begs the question: What if the virus is not in the scan RC>> string database? ID> If it cannot detect it, then it is one that came along after the ID> update was released, and is unknown to that scanner. Exactly, that is why a generic solution is needed. - ------------snip---------------- RC>> Indeed, some producers have written code into their scanners RC>> warning "Your scanner is outdated!!" ID> Certainly. This is something they need to know. You would claim ID> they were hiding this fact if they weren't so honest and upfront. I am sure honesty and forthrightness are the only reasons these messages are included :-) - ------------snip------------------- ID> Another way to look at it is that consistently successful ID> products are those which the customer is happy with, and those ID> that don't succeed are ones that the customer is not happy with. ID> To succeed, make the customer happy. You can't do that by I agree, the customer has to come first always. - --------------snip---------------- ID> If the public buy scanners, they will need updates. Dr. Solomon ID> and others have tried to sell them checksummers and integrity ID> checkers, but they don't like them. That is all there is to it. ID> The reason they don't like them seems to be partly that they need ID> to be installed before the event. This is the big drawback for ID> all the integrity checks, behavior blockers, etc, which cancels ID> out the "no update" advantage. Another disadvantage is that they Isn't prevention better than cure? ID> can only report what they believe to be virus activity. Much of ID> the time they are wrong, and they upset people's work ID> unnecessarily. In any case, they cannot tell the user which ID> virus he has, if it is a real virus. This is correct - one of the biggest challenges when designing generic anti-virus products is how to reduce false alarms. A good generic product should have the means of reducing false alarms to a minimum. Also, when a virus alarm is sounded, the user is curious to know which virus caused the problem. For this reason we include a scan and a clean program with EMD Armor Plus. However, unlike a scanner based product it does not work as the main line of defense. - ------------snip-------------- ID> I am certainly sceptical that any generic or heuristic technique ID> will work 100%, or even 98%. Usually the most annoying problem ID> is an unacceptably high level of false alarms, but I don't ID> believe in the claimed infallibility of their magic techniques ID> either. How can you make a strong generalization like that? Have you tested all the generic products out there? This is a hardly an objective comment coming as it does from a magazine editor. - ---------------snip-------------------- Sujoy Deb, Ph.D. ******************************************************************************* EMD Enterprises Phone: (410) 583-1575 ext. 4624 606 Baltimore Avenue, Suite 205 Fax: (410) 583-1537 Towson, MD 21204 Email (Internet): emd@access.digex.net U.S.A. (CompuServe): 70473,3260 Fax-back: (410) 583-1575 ext. 4 (select document 1015 for EMD Armor Plus) ******************************************************************************* ------------------------------ Date: Wed, 15 Mar 95 19:07:40 -0500 From: forte2@ix.netcom.com (Derek Fort) Subject: [Q] Several questions re: downloaded S/W (PC) I have just downloaded some a-v software. I am committed to learning and instituting good security measures on my system. I have several basic questions? 1) I purchased "PC Security and Virus Protection Handbook" by Pamela Kane, which contains a disk with Dr. Panda Utilities. How good are these utilities? 2) How do I know how clean the software is that I downloaded? Could these files themselves be infected, or are these read-only files? What is the source of these files? The files I downloaded are: oak.oakland.edu/SimTel/msdos/virus/... scn-216e.zip McAfee vsn-216e.zip McAfee fp-216d.zip F-PROT tbav632.zip Thunderbyte invb601b.zip Invincible killmnk3.zip Monkey Virus 3) Which ones are scanners and which integrity checkers? 4) Which ones should I run and in what order? 5) Where do I find unzip software, and how do I use it? How do I unzip these files? 6) I hear Central Point S/W is very poor. Is this true for both PC and Mac? I have both machines with CPAV loaded as well as MSAV (which is the same thing). 7) What a-v S/W is equally good for Mac platform? Where can I get it? 8) Are only the binary files the ones to worry about when downloading (when run)? What about binary images? I assume downloaded text is safe? 9) If my Power Mac can read PC files, can PC viruses infect my Mac? 10) Any other advice, recommendations or sources of info? - -- Thanks, Derek forte2@ix.netcom.com ------------------------------ Date: Wed, 15 Mar 95 19:52:20 -0500 From: Brian Risman Subject: McAfee doesn't get rid of JOSHI virus !!! (PC) Hi, the Joshi virus appeared on one of our PCs -- but the McAfee package installed could not get rid of it ! We had to fall back to the Microsoft Virus package, which succeeded. Does anyone have any advice on the effectiveness of the McAfee package -- or any additional comments ? Brian ------------------------------ Date: Wed, 15 Mar 95 20:27:02 -0500 From: netz@actcom.co.il (Zvi Netiv) Subject: Re: Access control and antivirus (PC) > I am a computer professional engaged in studying living programs, > both viruses and others, and several varieties of non-reproducing > malicious code. > Please let me know what kind of "hands on experience with live > viruses" you have to offer. For a starter I would suggest that you take a look at AVPL (the anti-virus practice lab). It's on several ftp's (datasrv. netcom) and in Simtel's mirrors. You'll find it also on Compuserve, in IV's forum ( GO INVIRCIBLE ). Please read the on-line documentation before experimenting with. Regard, Zvi - ----------------------------------------------------- Zvi Netiv, author InVircible NetZ Computing Ltd, Israel Fax +972 3 532 5325 email: netz@actcom.co.il, GO INVIRCIBLE on CompuServe - ----------------------------------------------------- ------------------------------ Date: Wed, 15 Mar 95 20:39:10 -0500 From: Steve Hathaway Subject: Re: Boot sector virus remains undetectable? (PC) writes: > > Recently my computer has become infected with the Junkie virus which > destroyed my disk MBR, boot sector, file allocation table etc. > I used F-prot v216 to disinfect lots of .com files and the MBR, and > have reinstalled lots of programs. > > Following generic advice supplied by this newsgroup, I also used the > fdisk /mbr and sys c: commands from a clean boot floppy. Although the > mbr command worked fine I get a message 'no room for system on destination > disk' using the sys c: command. This has me worried since when re-installing > DOS I got a message 'boot sector write error - possible virus infection'. > =================================================================== The message 'boot sector write error - possible virus infection' is trapped by some bioses when an attempt is made to modify the master boot record or partition table. This message can happen if you have bios disk protection enabled when you try to run legitimate programs of "fdisk" and "sys". To overcome the problem, run the bios setup on your computer to turn off mbr protection, fix the master boot record, then run the bios setup on your computer to again enable mbr protection. - - Steve Hathaway ------------------------------ Date: Wed, 15 Mar 95 23:04:44 -0500 From: vortexus@phoenix.net (VorTexUS WillHexUS) Subject: Invircible once daily not working (PC) Has anyone had the same problem? It worked for about a week. - -------------------------------------------------------------------------------- insert signature lines here INSERT SIGNATURE LINES HERE insert signature lines h ere INSERT SIGNATURE LINES HERE insert signature lines here INSERT SIGNATURE LIN - -------------------------------------------------------------------------------- ------------------------------ Date: Wed, 15 Mar 95 23:25:44 -0500 From: xiaonian Subject: [HELP] _1496 virus (PC) Hi, We just found a [_1496] virus in our PC. It affected many .EXE files and it took quite a long time (say 7 or 8 minutes) to boot the system. Other examples include tooking 1 or 2 minutes to start the DOS 'edit'. Could anyone tell us something about this virus as well as where to get software(s) to kill it (WWW home page or ftp site ?) We tried Scan V.2.1.1 of McAfee. The virus data file V2.1.216 was created on 02/23/95. It was able to detect the virus but could not clean it. Appreciated for your information. Lence ------------------------------ Date: Thu, 16 Mar 95 08:23:29 -0500 From: "The Radio Gnome" Subject: Re: Virus that screws up WFWG 32-bit disk access? (PC) >From: gwb@xs4all.nl (Jerry Britton) > >Anybody seen a virus that screws up Widows for Workgroups 3.11 32-bit disk >access? I booted my PC one day, only to receive the message: >"The Microsoft Windows 32-bit disk driver (WDCTRL) cannot be loaded. There is >unrecognized disk software installed on this computer. There was a post on the alt.sys.pc-clone.gateway2000 newsgroup with this exact situation. Turns out that the persons PC was infected with FORM. Andrew Wing - CNE Lead Applications Analyst Temple University Computer Services "A fool and his net access soon go their separate ways" ------------------------------ Date: Fri, 10 Mar 95 12:49:04 -0500 From: moonstar@well.com (Farmer Tea) Subject: Re: ATTN: McAfee doesn't find ANTIEXE (PC) > > F-Prot Ver 2.16 identify and remove ANTIEXE. > Really, I can't get it to remove antiexe off of one of my machines. What's the trick? Toby ------------------------------ Date: Thu, 16 Mar 95 06:09:24 -0500 From: M.A.Jordan@iti.salford.ac.uk (MA JORDAN) Subject: Memory Resident Viruses and WinNT/Win95/OS/2 Warp (PC) Do any of the DOS viruses that become memory resident mange to work under any of the above OS's (or any other DOS comaptible 32 bit OS) for that matter. ======================================================================== - -- Martin Jordan ----------------- The brain is a miraculous organ, it - - -- IT Institute ------------------ works from the moment we wake up ---- - -- University of Salford --------- until the moment we arrive for work - - -- Salford ----------------------- ------------------------------------- - -- M5 4WT ------------------------ Its not difficult being open minded - - -- UK ---------------------------- when you do mind altering drugs ----- - ---------------------------------- three times a week --- :) ---------- - -- M.A.Jordan@ITI.SALFORD.AC UK -- ------------------------------------- ======================================================================== ------------------------------ Date: Thu, 16 Mar 95 09:38:51 -0500 From: Angus Rae Subject: Re: McAffee 214 (PC) David Gray (it@mv.MV.COM) wrote: : I recently downloaded scn-214e.zip, ran it through a zip-virus scanner, : the results were positive... the zip checker I used didn't tell me what : virus was found nor did it tell me which of the files were corrupted. : But there was something screwy there. Just a word of warning. A virus scanner is very likely to trigger a virus scanner. Somewhere inside a virus scanner is stored all the code that indentifies a virus. If another virus scanner looks at a virus scanner and can't work out that these identifying bits of code are inactive, then it will report a possible virus infection. (Phew!) Unzip the file but don't run any of the EXEs, then run a better virus scanner than the ZIP one over them. (Fprot for example). It should come up clean. - -- Angus G Rae Biological User Support Team, Edinburgh University Email: Angus.Rae@ed.ac.uk Personal Page: http://www.ed.ac.uk/~angusr/ The above views are mine, and Edinburgh Uni can't have any of them. ------------------------------ Date: Thu, 16 Mar 95 09:52:54 -0500 From: kcck5@central.sussex.ac.uk (Roberto Corradi) Subject: Re: .DLL files are disappearing. Have I got a virus? (PC) Israel Kay (100112.2001@compuserve.com) wrote: : To date I have not heard of any viral activity which deletes .DLL files. : Have you noticed any of the following symptoms: We've had a similar probem on one of the 486 PC's in our lab. In particular the Sigmaplot .dll files disappear. I think some twit is deleting them.... The other thing is that if I run Central Point Anti-virus, the one shipped with MS-Dos 6.xx in Windows it comes up saying 90% or so of the files have changed, but does not say virus. If I run it through DOS it finds nothing. If I up-date in Windows then the DOS version starts shouting... McAffee and F-Prot have both found no probems so I'l leave best alone. Rob ------------------------------ Date: Thu, 16 Mar 95 11:27:53 -0500 From: Paul Walmsley Subject: Re: Stealth_C Virus (PC) ethelk@netcom.com (Ethel Kendrick) writes: > Henry C. Jones wrote: > >A simple sys of the floppy discs will get rid of the virus. > > No. Stealth_Boot.C infects the MBR. Sys'ing will do nothing. > > FDISK /MBR is much more effective. > correct fdisk /mbr will overwrite the mbr (which is on the hardisk) but to get rid of a boot sector infection on *floppy disks*, sys will work assuming you have enough free space on the disk. I'm not sure if Stealth_C actually infect's floppy (and don't have any reference handy) but that's what the posting was refering too. Paul ------------------------------ Date: Thu, 16 Mar 95 11:31:07 -0500 From: hermann@akira.fmi.uni-passau.de (Michael Hermann) Subject: SMEG based virus or not ? (PC) Hi, yesterday it tried vds30s (virus scanner) and it reported a SMEG-based virus in a .com file. Neither F-Prot(216d) nor McAfee's scan (217e) did find anything. Do I have a virus or not ? -Mike ------------------------------ Date: Thu, 16 Mar 95 12:22:45 -0500 From: rc.casas@ix.netcom.com (Robert Casas) Subject: Re: Disinfecting ANTIEXE virus (PC) >From: bordelon@whale.st.usm.edu (Darryl August Bordelon Jr) >One of my friends recently had his system infected by the ANTIEXE virus, >it was detected by SCAN and F-Prot, neither CLEAN nor F-Prot were able to >disinfect it though, the virus had overwritten and take over his >harddrive's MBR. We finally resorted to formatting the infected >hard-drive. I'm curious to if there is any method of protecting against >this and/or disinfecting it... Darryl- Describing safe computing practices is a bit much to describe in a brief note. Cleaning up an MBR infected by AntiEXE is very simple with version 6.01D of InVircible. Please read the manual.txt in the InVircible 6.01D archive for many suggestions on safe computing practices. Download a copy of InVircible 6.01D from Compuserve ( Go INVIRCIBLE, and download the file INVB60.ZIP from the InVircible file library) or ftp to: pyro.slip.ais.net/crypto/invircible/invb601D.zip. Use ResQdisk.exe from the archive. Please run RESQDISK. Is the SeeThru ON? Toggle it ON/OFF with the F9 key. Does the image change? If it does, you have a boot sector virus. Browse now with the down arrow to sector 13. Can you read what you see there? If you see the string "missing operating system", your in good shape. Please press now ^E then ^R ( ^ = CTRL ). Is there a red diamond at top right? Now press Home. You should read that you are now on sector 0,0,1. Make sure SeeThru is ON (F9). Now press ^E and ^W. Did the image change? Do you see now the "missing ... " label in the middle of the window? You have just copied your actual MBR back to where it belongs. Reboot your system using the reset key. Don't run anything else. This is just one of the generic methods you can use with the InVircible package to recover and restore your system from a virus. Read the extensive online hypertext and manual.txt for further information please. If you had previously installed InVircible on your system, the licensed version could have restored the vast majority of your files to their original condition, as well. Formatting your HD was not necessary. Using the freeware "Sentry" version available for download you could have identified files infected by a virus using IVB - the integrity _analyzer_ ( not CRC checker )- in the IV package. Deleting virus-altered files and restoring from backup would have cleaned your system completely. Regards, Robert C. Casas, Ph.D. CPC Ltd. Sysop - InVircible Vendor Forum - -- _______________________________________________________________________ Robert C. Casas, Ph.D. On CompuServe: GO INVIRCIBLE CPC Ltd. Agent of NetZ Computing casas@netcom.com <> 73763.20@compuserve.com <> rc.casas@ix.netcom.com _______________________________________________________________________ ------------------------------ Date: Thu, 16 Mar 95 12:32:24 -0500 From: kmco@omni.voicenet.com (Nora Isaac) Subject: Gatekeeper (PC) In responses to a few postings from people having problems with Gatekeeper from Datafellows: I have been using it successfully on my PC and it found a virus (antiexe)on my floppy when I tried to access it thru file manager. When I contacted Datafellows to find about purchasing it, the contact they directed me to said it would not be available in the U.S. - it would only be marketed to European channels. They even acted surprised that we would be testing it. In response to Darryl Bordelon posting: We were also infected with the Antiexe virus. Tech support at F-Prot advised us to boot the hard drive with a clean boot disk (disk should contain F-Prot files), run Fixdisk (a utility I understand is included with F-Prot Pro), scan/clean all files to assure no sign of virus, then reboot computer. This should work and you should not have to FDisk the harddrive. Our instance was on a floppy disk that was infected with both Form and Antiexe, both viruses "circulated", therefore we couldn't clean the disk. We reformatted and that worked, but I was concerned if this happened to a harddisk. Best regards, Nora Nora Isaac Kreischer, Miller & Co. Internet: kmco@omni.voicenet.com Certified Public Accountants Compuserve: 73352,3340 ------------------------------ Date: Thu, 16 Mar 95 13:14:00 -0500 From: dtheo1@umbc.edu (theo dino) Subject: Re: Disinfecting ANTIEXE virus (PC) Well, all you need to do is boot clean (noninfected write protected floppy) Then type FDISK /MBR (This should also be on the clean W/P floppy) All done!!! I'm surprised that F-Prot was not able to remove it. It removed it just fine for me when I was testing it. Do you have the latest version? (2.16 as of 3-16) Also to remove it from floppies. (Very important to check any floppies that were used during the infection) Boot clean. SYS X: (X being the floppy) All done. Someone had posted that sys won't work since this virus is an MBR infector. That statement is partially incorrect. Floppies have no MBR so the boot sector is infected. Anyays, I hope this helps. Dino ************************************************************************ * * * Dino Theo * * Systems Analyst/Network Admin/Windows Programmer/All Around Slaveboy * * USF&G Insurance * * EMail - DTheo1@umbc8.umbc.edu * * * ************************************************************************ The opinions expressed are mine and not of my employer. Besides, they wouldn't be too happy knowing how much time I spend on the Net ------------------------------ Date: Thu, 16 Mar 95 15:41:03 -0500 From: moonstar@well.com (Toby Houser) Subject: Re: Disinfecting ANTIEXE virus (PC) > I'm curious to if there is any method of protecting against > this and/or disinfecting it... I'm not sure about how to protect from it, although I hope virstop has some chance. The way I removed it was to boot with a cleann floppy that ran f-prot. You get the "circular virus, can't remove message". Quit F-prot and put in a floppy with Norton Anti Virus on it and scan the floppy. NAV scans the floppy, memory, and the MBR of the Hard disk (even though F-Prot couldn't see the Hard disk). NAV recognized it as Monkey and removed it. I rebooted again with the F-Prot disk and ran F-Prot, and everything is clean. Does anyone know of a TSR that will prevent Anti-Exe from infecting the Hard Disk. I have Virstop on all my machines, but they were still infected somehow. Toby ------------------------------ Date: Thu, 16 Mar 95 15:43:37 -0500 From: moonstar@well.com (Toby Houser) Subject: Re: Fdisk /mbr??? (PC) > When I run F-prot to scan and remove the ripper or josh b virus it says > it will not because it on mbr. I ran fdisk /mbr before on c and d drive > before running this. Please e-mail any responses. > The way I defeated Ripper was to boot with a clean floppy, and then cd to /DOS and run FDISK /MBR from within that directory. Then run F-Prot and you should be okay. Toby ------------------------------ Date: Thu, 16 Mar 95 16:14:12 -0500 From: "Tom Kirke (312) 413-5539" Subject: PC SAFE Anti Virus Hardware (PC) I've just received a flyer from Texan Enterprises Inc. (800-208-8633). They are distributing a PC board that apparently write protects your hard drive and/or prevents booting from floppies. Has anybody here had any experience this, or this company? Send you comments to me & I'll summarize for the list. Thanks, tom ------------------------------ Date: Thu, 16 Mar 95 17:53:38 -0500 From: "David L. Blair" Subject: Cinderella Virus (PC) I have a community college nearby reporting a Cinderella virus on their PCs. Since I am primarily a Mac person, this virus means nothing to me....Does such a virus exist in the IBM/Compatible world? If so what is their best bet to eradicate and control future re-infection. They ask me to post this not having an Internet connection them- selves. I know on the Mac side we have Disinfectant, Virex, SAM, and probably a dozen others to control such things. I searched a lot of virus areas on the Internet, but found no reference to a Cinderella virus other than one indicating it was some kind of hoax virus. I/they would appreciate any info you might be able to send our direction..thanks....dblair@aea14.k12.ia.us ------------------------------ Date: Thu, 16 Mar 95 21:05:15 -0500 From: jwt65@uow.edu.au (THOM WESLEY J) Subject: HELP: Slow Virus (PC) Computer will not recognise c drive however files still exist.Further examination of the culprit floppy disks revealed 'Slow Virus'. Does this mean that the whole hard disk is useless? If not, then what action can be taken? Any help would be MUCH appreciated. Wes email address jwt65@uow.edu.au ------------------------------ Date: Thu, 16 Mar 95 23:22:37 -0500 From: "Dr. R.D. Kane" Subject: windows specific virus? (PC) I've had a random problem with executing Windows. A "lime green" colored screen appears that has the same shape and format of program manager. Icons appear as squares with greeked lettering. I can double click on what would normally be Windows commands but get more greek and colors. When I exit windows the screen turns to orange stripes on a black background. Rebooting usually returns me to a normal Windows screen. Other symptoms: While in Windows, when I double click the ms/dos icon I go to a blank black screen with a blinking curser and no C: prompt. I have to reboot. Once and only once I saw a message where the words "program manager" would normally appear. It said ..."you have embarked on a journey"...the rest was greeked. Bizarre. Has anyone out there experienced anything similar? ------------------------------ Date: Fri, 17 Mar 95 00:04:23 -0500 From: chansamy@david.wheaton.edu (Sam Chang) Subject: Re: Access control and antivirus (PC) >From mr. Netiv's communication it sounds as if he provides users or >potential customers with live vira. This is a highly dangerous and unethical >practice, which should be discouraged for obvious reasons. > >We do let users handle real vira - in a strictly controlled environment and >under competent supervision in our workshops in Holland. I've been lurking in the background and find that it is time to set the record straight. Here is the background to this meandering thread. InVircible was installed on my computer and largely responsible for restoring my hard drive, which was inaccesible due to a security program that intercepted and rerouted all calls to the hard drive at boot time. I was ecstatic, to say the least, about IV's ability to restore my system, with no data loss or corruption. In the course of questioning the tech-support representative about how this was done, I probed about IV's anti-virus features. I asked questions along these lines: Would IV recognize this type of virus? Could IV stop a virus created to do "this and that"? How would IV respond to this viral condition? At my request the tech-support rep. answered my questions capably, and in my opinion, honestly. I appreciated being treated as a customer who had valid questions and a right to know what was really dangerous and what were merely hyperbolic homilies in dealing with viruses. Now that my hard drive was operating again (and free of the security program), I was curious to put IV to the test in its anti virus role. I asked the tech-support rep. for his opinion on my plan to infect my machine with practice viruses -- I had backups of my hard drive and software that would leave virus signatures to be detected, and was going to create them on my system. He thoughtfully responded that such practice runs were good, but that if one really wanted to learn how to prevent and recover from virus infections, there was no substitute for experience with the real thing. In the course of our conversation, I asked where I could find real viruses to work with. The tech-support rep. carefully pointed out that if I were serious about my attempts to become competent in spotting and removing viruses, that he would provide me with software that creates real viruses. In the ensuing hours I learned why viruses are created, how viruses are created, what they can do, and how to respond to the presence of a virus in an educated manner. I created two viruses under the guidance of the tech-support rep. and was amazed by what I saw. Creating a virus is easy; a virus can be benign or rabidly dangerous; getting rid of a virus is relatively easy. The sum of the matter is that I am a more informed user, with a better understanding and respect for viruses and those who write code to prevent damage. From my dialogue with the tech-support rep., I understand Zvi Netiv and his company does not provide potential customers with live viruses and does not indiscriminately give them to customers. In my particular case, I asked for the tools to create a virus. I was taught how to recognize a viral attack and how to deal with it. While some may question the ethics and practice described in my scenario, I would point out that there are many "good" anti virus products available, but fewer companies that are "good" in supporting their customers. Any company can service their product, but IMHO it takes much more to service their customer. Germane to discussions in this form, is the much touted statement that AV companies produce products in response to customer demand. Well in this customer's case, I demand to be shown the best way to protect my system. I have been shown in concept and deed and I am satisfied. Have I got all the answers and "bases" covered? No, but I'm traveling the road to safer (and happier?) computing. Ooh...that sounds so fatalistic :-) Thanks all, for understanding the length of this post, Sam ------------------------------ Date: Fri, 17 Mar 95 02:54:26 -0500 From: honge@mcmail.cis.mcmaster.ca Subject: My computer [DX266] now acts like a 386/16? (PC) My computer [DX266] now acts like a 386/16 - using SI.EXE/Bench.EXE...H= ELP! It started when my windows stucked. I thought there was no big deal. So= I rebooted the system. It couldn't find any system files. All data in my = hard disk are gone. I fdisked the entire hard disk and found all drivers[C & D] = were mess. After i finished fdisk and format. Everything is back on track.= Then I found another problem, my computer now acts really slow. =A8=A8 ------------------------------ Date: Fri, 17 Mar 95 03:40:24 -0500 From: gwb@xs4all.nl (Jerry Britton) Subject: Re: Fdisk /mbr??? (PC) insik@seas.gwu.edu (Insik Kim) wrote: >Ok this might sound repeatative but there seems to be many boot sector >viruses on the computers on my campus and when you run fdisk /mbr, where >would you run it from ??? Would it be the c: boot drive or would you boot >up on a: disk and then switch to c: drive to run fdisk /mbr...??? > >When I run F-prot to scan and remove the ripper or josh b virus it says >it will not because it on mbr. I ran fdisk /mbr before on c and d drive >before running this. Please e-mail any responses. the key here is to boot from a known clean floppy. I booted from my MS-DOS installation diskette, with the the write-protect tab enabled. Then I did FDISK /MBR etc. etc. Jerry Britton -- gwb@xs4all.nl and on CompuServe at 100043,2415 http://www.xs4all.nl/~gwb/ ------------------------------ Date: Fri, 17 Mar 95 08:30:03 -0500 From: dreamer@tiac.com (Dreamer) Subject: Re: McAffee 214 (PC) it@mv.MV.COM (David Gray) says: >the results were positive... the zip checker I used didn't tell me what >virus was found nor did it tell me which of the files were corrupted. >But there was something screwy there. Just a word of warning. < Chances are your zip-virus scanner is seeing the strings used by McAfee to detect viruses and thinks it is seeing a virus. I'd suggest unzipping and checking it with another scanner, CPAV, FPROT or whatever else you can get. ------------------------------ End of VIRUS-L Digest [Volume 8 Issue 27] *****************************************