VIRUS-L Digest Monday, 10 Apr 1995 Volume 8 : Issue 32 Today's Topics: Write-protect media viruses in binaries? Vi-Spy/Data Physician Q: Neuville (2KB) Virus (PC) New version of McAfee SCAN? (PC) Caution: Some copies IBM's Disk Mgr 6.0.3 may be infected. (PC) Re: Help with virus on Boot record (PC) DA' BOYs Virus (PC) "SW Error" - is this some sort of virus? (PC) Help! Infected by unknown virus! - help [01/01] (PC) Re: Non detectable viruses (PC) Re: Need info on ANTIEXE/NEWBUG (PC) Strange Request (PC) Undetectable stealth viruses (PC) die hard 2 virus - help! (PC) Wanted: UNIX based checker for DOS files (UNIX) (PC) Dr Solomon's in the USA (PC) Re: Cinderella virus (PC) F-PROT Gatekeeper (PC) Re: Need help selecting virus softwares (PC) Re: Piggybacking and memory scanning (PC) **Deperate for help!!!!!** Please read! (PC) Re: The Vshield bug??? (PC) Re: Help!! Can't disinfect Die_Hard virus (PC) Virstop causing memory problems (?) (PC) Hardware Virus Protection - EMD Armor Plus (PC) Re: French boot is Russian (PC) Re: Yellow vs. White text in F-PROT virus list (PC) Is Anti CMOS a virus? (PC) All experts please read and respond! (PC) Desperately need help cleaning DA'BOYS virus!! (PC) Espejo AV (PC) Teletype virus (PC) Re: A Known Virus? (PC) Re: In InVircible - A Recent Review - Where to obtain? (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CORSA.UCR.EDU (IP number 138.23.166.133) or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CORSA.UCR.EDU. Administrative mail (e.g., comments, suggestions, beer recipes) should be sent to me at: krvw@ASSIST.MIL. All submissions should be sent to: VIRUS-L@Lehigh.edu. Ken van Wyk ---------------------------------------------------------------------- Date: Wed, 29 Mar 95 00:21:53 -0500 From: dond@ix.netcom.com (Don Di Tomasso) Subject: Write-protect media Do some viruses affect write-protect disks? Is that possible? Don D.(dond@ix.netcom.com) ------------------------------ Date: Thu, 30 Mar 95 08:24:25 -0500 From: sofsky@midget.towson.edu (Frank Sofsky) Subject: viruses in binaries? There has been so much debate on whether or not a virus can come from a binary picture file; I have read so many times that viruses can only come from execute and command files; does anyone really have the correct answer to this? Thanks ------------------------------ Date: Wed, 29 Mar 95 18:18:59 -0500 From: rayglath@aztec.asu.edu (RAYMOND M. GLATH) Subject: Vi-Spy/Data Physician March 24, 1995 For Immediate Release Editorial Contact: Mark Hamilton, Director of Marketing Tel: 602 423 8000 Fax: 602 423 8389 email to Mark Hamilton: 100013.600@compuserve.com or to Ray Glath: rayglath@aztec.inre.asu.edu RG Software is On the GrOw ! RG Software Systems, Inc. of Scottsdale Arizona, one of the early pioneers in the field of anti-virus software with its critically acclaimed Vi-Spy product line, announced today that it has completed the acquisition of Digital Dispatch, Inc.'s anti-virus software operations, including an installed base of approximately 500,000 users. DDI, a 13 year old Bloomington Minnesota company, was also one of the very first companies to enter the anti-virus industry with its product, Data Physician. With no formal marketing program in place, DDI was still able to achieve sales of many large scale licenses to US and Canadian governmental agencies and departments as "word of mouth" spread the news of a good product and excellent support. However, since DDI's primary operations have always been in the computer training field, it has, for some time, been planning to withdraw from the anti-virus market due to flat sales and the demands of ever-increasing research and development costs due to the meteoric rise in the number of viruses appearing on the scene. "With the Data Physician product enjoying an excellent reputation among its customers for quality and support, it was important for DDI to have its customers go to a company who is also expert in this field and who has a similar ethic towards providing exceptional quality product and support", said Bill Kenny, spokesman for DDI. "We have enjoyed a long and beneficial relationship with DDI during which we have frequently exchanged information and ideas regarding the latest techniques being used by virus authors and the technology needed to combat them", commented Ray Glath, RG Software's founder and President, "and we are delighted that DDI has chosen RG to supply our products to its customers." "For everyone concerned, this is a win-win situation", continued Glath. "DDI returns to its roots as a training company; RG Software grows its customer base; and, most importantly, DDI customers get continued service and support for their anti-virus needs." While the terms of the acquisition are not being disclosed, RG Software will honor all existing DDI support contracts throughout their respective periods, by converting those customers to its Vi-Spy product line at no charge. RG Software Systems was established in 1984 and has been at the forefront of the anti-virus industry since it introduced Vi-Spy, the first commercially-available anti-virus product, in 1989. The company regularly updates its software portfolio which includes Vi-Spy Professional for standalone computers and Vi-Spy Universal NIM, its platform-independent networking product. ### ------------------------------ Date: Tue, 28 Mar 95 21:15:18 -0500 From: Israel Kay <100112.2001@compuserve.com> Subject: Q: Neuville (2KB) Virus (PC) Chris Riordon (chrisr@globalx.net) writes: > Courtesy of IBM, my computer's master boot record has become > infected with what Virus Alert calls "Neuville" and what Scan > calls "2KB". The virus came on IBM's new Disk Manager 6.0.3, > shipped directly from IBM Canada. (Although I normally scan > everything, I didn't scan the boot sector of this disk, > thinking naively that it was safe because of the source.) Please watch your accusations. You make seriuos ones. You have not convinced me that IBM is at fault here. Please remember that this is a public conference. If you are wrong, you can possibly be held legally liable for making such comments. > I caught the infection with a routine scan shortly after the > virus installed itself on my MBR. No other files or floppies are > reported affected, and I can boot from a (clean) floppy. > What I want to know is: > 1. What does this virus do? > 2. Because I can't easily restore my system until the weekend, > am I safe as long as I boot from floppy? (I assume there's no > way for anything sitting in the MBR to get out unless you boot it...) > Cheers (and a new adherent to scanning *everything*), Neuville, also known as Touche, 2KB, French Boot and Sillybob, is a boot sector virus. When it goes resident it infects the MBR. It will only infect the HD if you boot from an infected floppy. After that it will infect all un-write protected floppies accessed. It is not safe to boot from a floppy, as long as the virus is in memory. F-Prot and Dr. Solomon's AVTK identify Neuville and remove it. Regards, Israel ********************************************************************* * I S R A E L K A Y * * PC ANTI-VIRUS & DATA SECURITY CONSULTANCY * * LONDON OFFICE * * 137 Wargrave Avenue, London, N15 6TX. U.K. * * Tel: +44 (0)181 800 7278 Fax: +44 (0)181 802 9880 * * CIS: 100112,2001 Internet: 100112.2001@compuserve.com CIX: ik * *****************-----------------------------------***************** * LONDON NEW YORK * ************************************* ------------------------------ Date: Tue, 28 Mar 95 21:15:21 -0500 From: Israel Kay <100112.2001@compuserve.com> Subject: New version of McAfee SCAN? (PC) Dror Lahat writes: > I have McAfee Scan V.2.1.3 > with data file V2.1.213. > > I want to know where I can get a more updated version, > the most wanted way - FTP... Anonymous FTP oak.oakland.edu /SimTel/msdos/virus > BTW, if u have suggestions to any better untivirus (from > your expirience), I will be happy to know what they are... As well as the new version of McAfee Scan, you can try F-Prot ver 2.16. It is free for private use, and available on the above FTP site. (Answer in E-mail... lahat@actcom.co.il) ********************************************************************* * I S R A E L K A Y * * PC ANTI-VIRUS & DATA SECURITY CONSULTANCY * * LONDON OFFICE * * 137 Wargrave Avenue, London, N15 6TX. U.K. * * Tel: +44 (0)181 800 7278 Fax: +44 (0)181 802 9880 * * CIS: 100112,2001 Internet: 100112.2001@compuserve.com CIX: ik * *****************-----------------------------------***************** * LONDON NEW YORK * ************************************* ------------------------------ Date: Tue, 28 Mar 95 21:15:22 -0500 From: Israel Kay <100112.2001@compuserve.com> Subject: Caution: Some copies IBM's Disk Mgr 6.0.3 may be infected. (PC) Chris Riordon (chrisr@globalx.net) writes: > Sorry to duplicate information in another post, but I did want > to make sure people know this. > IBM Canada shipped me a copy of Disk Manager 6.0.3 which permits > users to manage DOS partitions larger than 1024 cylinders). > It needs to be booted in order to work, and the floppy's MBR > (Master Boot Record) and boot sectors contain, at no additional > charge, a free copy of the Neuville (2KB) virus. > I contacted IBM, and while their representative seemed very > concerned, especially when I faxed him the details, they have > not gotten back to me. > The infection is hopefully local (this software was shipped by > IBM Canada, likely from Montreal). > Moral of the story is... don't trust =anything= regardless of > source. Are you 100% sure that you did not infect the diskette yourself by booting from it, without ensuring it was write protected. It is usual practice for companies such as IBM, etc. to provide software on write protected floppies. Did you by any chance remove this protection first. Did you, as is sensible practice, make sure that the diskette was write protected before using it. Before installing the IBM software which scanner did you use to verify the existance of the virus on IBM's floppy? Regards, Israel ********************************************************************* * I S R A E L K A Y * * PC ANTI-VIRUS & DATA SECURITY CONSULTANCY * * LONDON OFFICE * * 137 Wargrave Avenue, London, N15 6TX. U.K. * * Tel: +44 (0)181 800 7278 Fax: +44 (0)181 802 9880 * * CIS: 100112,2001 Internet: 100112.2001@compuserve.com CIX: ik * *****************-----------------------------------***************** * LONDON NEW YORK * ************************************* ------------------------------ Date: Wed, 29 Mar 95 02:39:13 -0500 From: jgg9072@uxa.cso.uiuc.edu (Jimmy ) Subject: Re: Help with virus on Boot record (PC) writes: > I believe that there is a virus lurking in my PC's memory. I have noticed > that 2KB of conventional Mem is missing ( only 638KB is reported ). some of > the antivirus software that i have indicates that the parameters of my disk > device (hard drive) has been changed. I can only start Windows using 16-bit > disk access, instead of 32-bit disk access... if I try, i get messages saying > that the MS windows 32-bit disk driver(WDCTRL) can not be loaded, and that > the address that MS-Dos uses to communicate with the hard disk is changed. > I am aware that a clean system disk (bootable) with antivirus software would > be the obvious solution to get rid of the virus, but i did try this, and > could not access the hard drive ( C drive ). I have done this before in > previous occasions and it has worked, but this time the situation seems to > be different. I really appreciate any kind of help. Raff. I have a similar problem. My machine has only 635k total conventional memory (missing 5k). I tried several anti-virus software but could not detect any virus, though I was told it should be some kind of virus which affected boot sectors. Please help me with the problem. Thanks. Jimmy. ------------------------------ Date: Wed, 29 Mar 95 04:47:08 -0500 From: Rons2@ix.netcom.com (Ronald Schroeder) Subject: DA' BOYs Virus (PC) Any info on this one will be appreciated ... so far cannot locate any virus program either commercial or shareware that will erradicate this pest. So far --- from a newly started machine (turn if off first!) and then from a clean boot --- I must fdisk /mbr then re-sys the HD (from the booted FD A: like this sys c:). Then - now this is important the damn thing is in memory - turn off the machine - wait about 3 mins for it to disolve - and then restart, booting from the HD. Then as a paranoid I will use Norton's diskedit in text mode to view the boot record to be certain it is gone - if it is there you will see it's signature, DA' BOYS spelled out! And then you start over - turning off the machine (Pull the plug) restarting with a bootable floppy, etc. Ron ------------------------------ Date: Wed, 29 Mar 95 07:03:59 -0500 From: ngchwei@merlion.singnet.com.sg (Novice) Subject: "SW Error" - is this some sort of virus? (PC) Once every month or two, I get this problem when I run Windows: a column of "SW Errors" appears when I click on some icons. The screen then scrolls up with this column of SW Errors and nothing else. On those icons which work, I can't save anything on my hard disk - I get a message that the disk is full, although I have plenty of space left over. The funny thing is, after one day, the problem automatically disappears, only to reappear after some time. I've run Windows' Anti-Virus program, and can't seem to find anything wrong. I'm a newbie on the net, and would really appreciate any help. Please email me or post a message on this newsgroup. Thanks in advance. C. H. Ng ------------------------------ Date: Wed, 29 Mar 95 09:53:46 -0500 From: Theo.Savidis@lpul.slu.se (Theo Savidis) Subject: Help! Infected by unknown virus! - help [01/01] (PC) BEGIN -- Cut Here -- cut here I have a PC infected with a virus that the latest versions of SCAN (SCN-217E and SCNB220) can't detect, so I guess it must be fairly new. This is what I've been able to determine about it: Infects only some EXE-files, no COM:s. Increases the file size with 1376 bytes. Probably mutating itself or something, since not two occurrences look the same. I think it must infect the Master Boot Record, since a SYS C: from a clean floppy won't stop it from loading itself when booting the computer. No data has been destroyed yet, but it causes strange bugs in some programs, like Norton Commander. Does anyone have an idea which virus it is? Is there an antidote? If it's a new virus, is there a place where I should upload it? END -- Cut Here -- cut here ------------------------------ Date: Wed, 29 Mar 95 14:12:12 -0500 From: weissel@sun.ph-cip.uni-koeln.de (Wolfgang Weisselberg) Subject: Re: Non detectable viruses (PC) Rafael Rivera (rivera@oasys.dt.navy.mil) wrote: :->Is their a virus that is not detectable by the latest McFee Vscan/Vshield :->virus scaners? YES. But that is true to all anti-virus systems, including IV. The real problem here is that a certain program called 'scan' does not detect an alarming amout of viruses (even common ones) - and is rather slow, too. You should always use 2 or 3 AV-programs, should one fail the other one might still alarm you. TSR-Programs usually will not detect any polymorphic viruses at all, the search algorithms are too complex, slow and memory-eating. Never rely on those as your sole protection. They will detect LESS viruses than their scanning counterpart. Good programs include: TBAV - VERY fast, uses checksums and heuristic (ie even new viruses might be found (50% perhaps)) and can use heuristik to clean, too. F-Prot - quite fast and it really does distiniguish variants well (you NEED to know them to clean properly) AVP - very slow at highest security level, but can clean virtually any virus it knows (apart from ones that destroy the program code) All of them are Shareware, F-Prot is NOT required to be registered for the private user. Try them. You might be saver. - - Wolfgang Weisselberg ------------------------------ Date: Wed, 29 Mar 95 16:59:53 -0500 From: listorj@richmond.infi.net (Ron Listo) Subject: Re: Need info on ANTIEXE/NEWBUG (PC) Bob Thorsen says: >One of our users has a disk that she bought home. Husband's system >(with MacAfee) said the disk was infected with ANTIEXE. Our CPAV >found nothing. Newer signatures for CPAV found a virus it called >NEWBUG. CPAV's data base says NEWBUG only infects diskette boot >sectors. We have found Antiexe & Newbug to be the same. Depends which AV program you run. They'll report different names. It is also easily removed by all (I think) AV programs, including Microsoft AV. //RON// ------------------------------ Date: Thu, 30 Mar 95 01:18:30 -0500 From: dylan@wam.umd.edu (Dylan J. Greene) Subject: Strange Request (PC) I've been asked if there is any anon ftp sites where a user could download/upload viruses. My first feelings were "I hope not!" but then I thought about the many virus protection developers. How do they get samples of the latest viruses? Stemming off the first question is this one: Is there a such thing as a virus that is not harmful (aka possibly helpful)? What if a TSR was implemented as a virus, such as antivirus software that could "spread" causing any program it came in contact with to posses the ability to know if it had a virus before executing (or modified in suspisious ways). Thanks for any insight. {___} __________________ ___OoO_(o"o)_OoO___________________________________ / Dylan J. Greene \_\ (_) CSC Student Advisory Council Member \ / dylan@wam.umd.edu /_/ Computer Science Center Computer Consultant \ \ U of Maryland /_/ UMCP Association for Computing Machinery Secretary / \_________________\ \___oooO_____Oooo___________________________________/ Co-author of WITS: ( (/ \) ) NEW & IMPROVED: phantom home page Windows Internet Tool Set \_) (_/ http://www.wam.umd.edu/~dylan ------------------------------ Date: Thu, 30 Mar 95 03:28:14 -0500 From: Friedli Paolo Subject: Undetectable stealth viruses (PC) A couple of month ago, I wrote a small virus detection software. That's it, I had to study almost any kind of PC viruses that exist. But I have been told that it is possible to write PC viruses that are virtually undetectable. Altough I was able to imagine the way it could work, I was wondering if such viruses have already been discovered. Does anybody have infos about that ? Thank you. +------------------------------------------------------------------+ | Paolo FRIEDLI Edipresse Publications SA | | Ingenieur en Informatique Avenue de la Gare 33 | | Developpement CH - 1001 Lausanne | | | | voice: +41 (0)21 349 51 12 fax: +41 (0)21 349 51 09 | | E-Mail Internet: Paolo.Friedli@com.mcnet.ch | +------------------------------------------------------------------+ ------------------------------ Date: Mon, 27 Mar 95 11:56:35 +0000 From: knoxcj@elec.canterbury.ac.nz (c.j. knox) Subject: die hard 2 virus - help! (PC) I have a computer here that is infected with the die hard 2 virus. Neither F-Prot 2.15 nor McAffee scan (dunno what version - not expired yet) have been able to remove it. How can I get rid of the virus apart from "format c: /u", since the backups are probably infected as well. In other words - HELP! | +-> C.Knox ------------------------------ Date: Mon, 27 Mar 95 13:59:22 -0500 From: Erik Ivanenki/0/o Subject: Wanted: UNIX based checker for DOS files (UNIX) (PC) Hi there! I've been requested by our internal audit people to install some form of checking for viruses. Our server is a SUN, with PC clients. The server runs an SMB server. I'd like to find some software ( prefer GNU or cheap ) that will check the software on the SUN for viruses that were transported from the PC's. Any help would be MOST appreciated. Thanks in advance, Erik Ivanenko ------------------------------ Date: Thu, 30 Mar 95 07:18:14 -0500 From: gcluley@sands.co.uk Subject: Dr Solomon's in the USA (PC) S&S International, developers of Dr Solomon's Anti-Virus Toolkit, have formally opened their new office in the USA: S&S Software International, Inc. 17 New England Executive Park Burlington, MA 01803 Tel: (617) 273-7400 Fax: (617) 273-7474 Email: 72714.2252@compuserve.com Regards Graham - --- Graham Cluley [gcluley@sands.co.uk] Senior Technology Consultant, UK Tel: +44 (0)1296 318700 Dr Solomon's Anti-Virus Toolkit UK Support: support@sands.co.uk S&S International PLC, UK USA Tel: +1 617 273-7474 CIS Tech Support: GO DRSOLOMON USA Support: 72714.2252@compuserve.com ------------------------------ Date: Thu, 30 Mar 95 10:44:25 -0500 From: Mikko Hypponen Subject: Re: Cinderella virus (PC) David L. Blair wrote: > I searched a lot of virus areas on the Internet, but found no=20 > reference to a Cinderella virus There is a description available at our WWW virus description server at http://www.datafellows.fi/. Here's the contents of URL http://www.datafellows.fi/v-descs/cinderel.htm: NAME: Cinderella ORIGIN: Finland SIZE: 390 TYPE: COM -files Resident =20 Cinderella was found in Finland in June, 1991. =20 It infects all COM-programs which are longer than 390 bytes. =20 Due a programming error, Cinderella may infect files with extension CO, DOC, OC or no extension at all. =20 Cinderella counts the user's keypresses and activates after a certa= in amount. Then the virus creates a hidden file named CINDEREL.LA and resets the computer. =20 Copyright (c) Data Fellows Ltd's F-PROT Professional=20 development & support < f-prot@datafellows.fi > As Cinderella is several years old, most antivirus programs will detect it - F-PROT detects and disinfects it for sure. - --=20 Mikko Hermanni Hypp=F6nen // mikko.hypponen@datafellows.fi Data Fellows Ltd's F-PROT Professional Support: f-prot@datafellows.fi Computer virus information available via WWW at http://www.datafellows.= fi ------------------------------ Date: Thu, 30 Mar 95 11:01:11 -0500 From: Mikko Hypponen Subject: F-PROT Gatekeeper (PC) Nora Isaac (kmco@omni.voicenet.com) wrote about F-PROT Gatekeeper: > I contacted Datafellows to find about purchasing it, the contact they > directed me to said it would not be available in the U.S. - it would > only be marketed to European channels.=20 =20 Right now we're in the middle of negotiations with Command Software=20 Systems from Florida on how F-PROT Gatekeeper will enter the=20 US market. =20 On a related note, I would like to ask all F-PROT Gatekeeper testers to direct your tech support requests to the official support address, which is feedback@datafellows.fi instead of posting your questions in public to comp.virus/VIRUS-L. Our F-PROT Gatekeeper Support can answer your questions, but they will respond to the queries on=20 comp.virus only if they happen to see them, which happens more or less by chance. We do not want to see comp.virus/VIRUS-L to be used=20 as a product support forum. - --=20 Mikko Hermanni Hypp=F6nen // mikko.hypponen@datafellows.fi Data Fellows Ltd's F-PROT Professional Support: f-prot@datafellows.fi Computer virus information available via WWW; http://www.datafellows.fi ------------------------------ Date: Thu, 30 Mar 95 12:19:36 -0500 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Need help selecting virus softwares (PC) miseurope@delphi.com (miseurope@delphi.com) writes: > I refer to the message posted by you in this forum. Firstly a full answer > will be posted on this forum shortly. We all await it with impatience. Please, be so kind to CC: me a copy, since I am too busy at the moment and don't have the time to constantly monitor this newsgroup. > Secondly, we are taking legal advise as > to your comments and actions taken in this light will be directed to you at > the University or to your next location when you leave later this year. You are quite welcome. I stand firmly on my opinion which I stated before about your product. > I feel > very strongly about your comments and virtually all of them are "FALSE". I'm sorry that you take it so deeply, but you are nevertheless wrong. Of course, you are entitled to your opinion, just as I am entitled to mine. In fact, I am even ready to accept the idea that you sincerely believe that your product offers "protection against all known and unknown viruses" as is boldly stated in your broshure. I, from my part, and based on my 6-year experience with viruses and on the limited experience I had with your product, believe that this is utter nonsense. Even if your product worked as advertised, it offers no better protection than the write-protection tab on the floppy disks. As we all know, this protection is impossible to circumvent by viruses (if it works properly, of course). As we also well know, viruses spread from one machine to another mostly via floppy disks. Since, as we all know as well, regardless of this "ultimate protection" computer viruses contiue to thrive and spread very well, then obviously something is flawed in the general concept of this kind of protection. :-) Of course, the above were just general statements. Regarding your product in particular, the situation is much worse. The first time I played with it at the Hannover fair, it failed to notice the creation of a COM file in a directory where an EXE file with the same name existed. It also failed to notice the overwriting of a BAT file. At this point I stopped testing it, because I had my point proven - that it is unable to stop at least two entire *classes* of viruses - merely companions and BAT infectors. I'm certain that I could have easily found other classes as well - for instance, I am fairly certain that it doesn't protect OBJ or AVR files, and at least on OBJ and one AVR infector are known to exist - here you have two additional classes of viruses that would slip undetected. Do I also have to mention diskette-only infectors that damage data on the hard disk or are you already getting the point? The second time I played with it, you had the security "beefed up" - obviously in an attempt to cover the security holes that I pointed out to you. As a result, the product wouldn't allow the user even to COPY a COM or a BAT file, thus proving another point of mine - that you can protect a system from viruses if you completely isolate it, but this essentially renders that system useless. Any user who is comforted with the inability to perform such simple operations as the ones mentioned above will simply turn your product off. And, even the best protection, fails to stop any viruses if it is turned off. :-) As to regarding of the sample of your product that was sent to our VTC for testing, it EVEN REFUSED TO INSTALL on all machines that we tried it. The manual says "just plug in the card and run the software installation program". So we did, and the software installation program said "card not found" and aborted. Even the scanner part of your product refused to run because the "hardware was not installed" (why?!). And, of course, in this condition it failed to detect *any* viruses at all. I even tried to get some technical support. Interestingly, it seems that your company treats the whole Europe as really "one and the same thing", since the only tech support number provided in the documentation was in the UK. Regardless of being in Germany, I tried to contact it. All I got was a voice mail system. After going through its maze and pressing "3 for technical support", I was informed that "the person I am looking for does not have a mailbox". At this point I gave up, since my time is valuable and I don't like to have it wasted. So, I stand firmly on my original opinion. Your product is next to useless and I, as an anti-virus expert, wouldn't recommend it to anybody. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 30 Mar 95 12:25:55 -0500 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Piggybacking and memory scanning (PC) EMD Enterprises (emd@access.digex.net) writes: > ID> deride. To me, that says that they simply don't do the job. > As the manufacturer of a hardware based generic anti-virus product > (EMD Armor Plus), I have to strongly object to this statement. As an anti-virus expert and a person who has tested your product, I have to strongly agree with Iolo's statement. Your product simply doesn't do the job. It even failed to install. > Isn't prevention better than cure? It is. But Iolo is defending the scanners and they (unlike the integrity checkers, for instance), indeed provide *both* prevention (if you scan all incoming software) and cure (if your get infected). > This is correct - one of the biggest challenges when designing > generic anti-virus products is how to reduce false alarms. A good > generic product should have the means of reducing false alarms to a > minimum. I certainly agree with the above statement. I am only curious why haven't you applied it to the design of your own product? Or maybe we understand different things under the term "false alarm"? I certainly regard as false alarm the fact that your product sounds its bells and whistles when the user attempts to copy a COM, EXE or BAT file to the hard disk. Even worse, when the user tells it to continue, the copy command still aborts, with the message that there is "insufficient disk space", while, in fact, plenty of it is available. > Also, when a virus alarm is sounded, the user is curious to know > which virus caused the problem. For this reason we include a scan and a > clean program with EMD Armor Plus. The problem is, that according to Virus Bulletin's review, your scanner is so poor that it is unlikely to perform the above task properly. You definitley should consider designing a better scanner for your product - or license someone else's, if you are unable to. Adding a good integrity checker won't hurt either. > ID> I am certainly sceptical that any generic or heuristic technique > ID> will work 100%, or even 98%. Usually the most annoying problem > ID> is an unacceptably high level of false alarms, but I don't > ID> believe in the claimed infallibility of their magic techniques > ID> either. > How can you make a strong generalization like that? Have you > tested all the generic products out there? Aw, what a beautiful argument! I like it! I like it so much, that I'll use it... against you. :-) In your product's promotional materials, you claim that it "stops all known and unknown viruses", "is the ultimate protection against viruses" and so on (the quotes are not word-for-word exact; I am not in my office right now and don't have access to the materials). So, I am asking you, have you really tested *all* known *and* unknown (huh?) viruses against your product? Have you tested all other existing anti-virus pretections to claim that yours is the ultimate one? If not, why are you making such claims? Dunno about the other countries, but here in Germany you can be held legally liable for making false advertisements. > This is a hardly an objective comment coming as it does > from a magazine editor. Yours, as a comment coming from the discussed product's developper, is *much* less objective. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 30 Mar 95 14:01:32 -0500 From: craman@unity.ncsu.edu (Christopher Ray Aman) Subject: **Deperate for help!!!!!** Please read! (PC) I have an IBM compatible 386. Two days ago, it fell ill with what my anti-virus program calls a STEALTH_C virus. However, I have a scan/clean program from Mcafee and it knows nothing about a 'STEALTH_C' virus. If anyone who happens to read this knows anything about this virus, what it does, where it comes from, or how to get rid of it, please e-mail me at one of the two addresses below. Thank you in advance for your help. Chris - -- +------------------------------+---------------------------------------------+ |Christopher Ray Aman | I take no responsibility for the opinions | |craman@unity.ncssu.edu | although they are mine, and should not be | |crossmen@nando.net | mistaken for those of the reader. | +------------------------------+---------------------------------------------+ | "I wish that it might come to pass, not fade like all my dreams. | | Just think of what my life might be- in a world like I have seen. | | I don't think I can carry on this cold and empty life..." | | -- N. Peart "2112" | +----------------------------------------------------------------------------+ ------------------------------ Date: Thu, 30 Mar 95 14:59:20 -0500 From: Subject: Re: The Vshield bug??? (PC) c0453717@techst02.technion.ac.il (Alschitz Peter) writes: >I've just installed the 2.1.2 version of McAfee's AV software and >tried to run the vshield program. It reports that the Radium.519 >virus is found in the memory (at the time it installs and checks the >memory). I've tried to check the memory and drives with various >scanners, but they're reporting that the system is clean. >Is it some bugg of Vshield, incorrect reactionon one of the TSR's? >The F-PROT's virstop 2.16 finds nothing. Peter, there is a beta version of 2.2.0 available at ftp.mcafee.com - I think it's vshb220.zip - maybe this will help. Chris Moore Hamilton, Canada ------------------------------ Date: Thu, 30 Mar 95 15:02:32 -0500 From: chrism@ccohs.ca (Chris Moore) Subject: Re: Help!! Can't disinfect Die_Hard virus (PC) pjah@grin.io.org says... >My computers have been infected by the Die_hard virus and neither Norton >Anti-virus nor F-Prot 2.16D will disinfect it. What's out there that >will clean it?!!! Hi Patrick. I had the Die Hard 2 (DH2) virus, and got rid of it with the following steps. Maybe it'll do the same for you. Chris Moore Hamilton, Canada If you have PKZIP.EXE, PKUNZIP.EXE and SCAN.EXE on a diskette that goes in your B: drive, just substitute B: for A: in steps 2 and 4 below. 1) Boot the computer with the infected version of DOS. 2) Using a clean version of PKZIP.EXE on a write-protected diskette, compress all your .EXE and .COM files. I did this as two separate .ZIP files, but they could be compressed into one. At the C:\ prompt (you must be in the root directory), type A:PKZIP EXEFILES *.EXE -RP. This creates EXEFILES.ZIP, which contains all your .EXE files with a record of which directories they come from. Type A:PKZIP COMFILES *.COM -RP to zip your .COM files. 3) Turn the computer off (don't just use CTRL-ALT-DEL). Reboot with a clean, write-protected DOS diskette in the A: drive. 4) With a clean version of PKUNZIP.EXE on a write-protected diskette, unzip your files, overwriting the infected versions. At the C:\ prompt, type A:PKUNZIP EXEFILES -OD then A:PKZIP COMFILES -OD to overwrite the infected .EXE and .COM files on your hard disk. The versions from the .ZIP files are clean. 5) Delete all versions of COMMAND.COM from your hard disk. They will probably be in the root and DOS directories. 6) Put the clean write-protected DOS diskette in the diskette drive, and type A:. At the A:\ prompt, type SYS C: to transfer the clean COMMAND.COM file to your hard disk. 7) Copy C:\COMMAND.COM to whatever other directories you deleted it from in step 5. 8) Turn off the computer, then turn it back on without a diskette in the A: drive. 9) When the computer has booted, put the clean write-protected diskette containing the virus scan program in the A: drive, run it by typing A:SCAN C: /ALL and keep your fingers crossed! If it tells you that no viruses are found, you are done. If not, you might want to try the whole thing again, in case you missed a step along the way. ------------------------------ Date: Thu, 30 Mar 95 15:43:26 -0500 From: johnm@corbis.com (John Mollman) Subject: Virstop causing memory problems (?) (PC) I'm using F-Prot professional on ~110 workstations (mostly Gateway P-5 90s), all running WFW 3.11 on an NT network. About 10% of these machines have become extremely unstable since having Virstop installed on them. Most machines seem to run out of memory and freeze with what I consider to be a reasonable number of apps open at one time (Excel, Word and MS Mail for example). Memmaker has been used to try and optimize memory use on all machines which are having trouble, and on a few of them that was enough to solve the problems. Adding sometning like QEMM is not an option due to costs for the number of workstations. Virstop loads from autoexec.bat, and has been configured to use XMS for swapping. Installation was identical on all machines, and on all other machines Virstop causes no problems. Commenting Virstop (and Novcast) out solves the problem completely, but auto scan of floppies was a big reason I chose F-Prot pro to begin with. I know that TSRs like Virstop can cause a lot of trouble, but this seems more severe than what I'd expect from TSR problems. I'm curious if anyone else out there has had similar problems with Virstop (or any other TSR scanners) and what they did to solve/work around these problems. BTW, other than this I've been very happy with the performance of F-Prot pro and the Command SW tech support staff. ------------------------------ Date: Thu, 30 Mar 95 16:05:12 -0500 From: EMD Enterprises Subject: Hardware Virus Protection - EMD Armor Plus (PC) [ Lately we have been swamped by e-mails requesting us to explain why we feel that hardware protection as available from a product like EMD Armor Plus offers superior protection. This is understandable - EMD Armor Plus takes a different approach to fighting viruses compared to scanner based products. So naturally people in the anti-virus community are eager to know how it works. Unfortunately it is becoming impossible to respond to each mail individually. My thanks to "Doc" (dochobbs@wwa.com) for permitting me to respond to his e-mail publicly. Hopefully this will help to clarify similar doubts that other readers of Virus-L and comp.virus may have in their minds. ] "Doc" (dochobbs@wwa.com) writes > Dr. Sujoy Deb, > I have a couple of comments and questions. > How many people have a need for a product that operates before the > autoexec or config execute? You need this type of product to protect your PC from boot viruses. Boot viruses take control of the boot process before any software can be loaded via config.sys or autoexec.bat. That is why scanners and TSRs, which can only be loaded in config.sys and autoexec.bat, are ineffective against boot viruses. A hardware product that works as an extended BIOS is the best way to protect against a boot virus. > Most computers that I know about boot from the hard drive and if the > virus is on that drive than it is too late for your product to stop it. EMD Armor Plus is equally effective no matter whether you boot from an infected floppy (accidentally, in most cases) or from a hard disk with an infected boot sector. > I don't understand why someone would boot there computer from a disk > that they don't know anything about. I certainly don't stick disks in > the drive and say 'let's see if this will boot my computer' and any > disks I use specifically for boot-ups, I created. It can happen accidentally. Indeed, a boot virus's most common method of entry is when someone accidentally boots the computer with an infected floppy in the floppy drive. This floppy does not have to be a bootable floppy for the boot virus to become active. One would see the message "Non-system disk or disk error; Replace and strike any key when ready." By this time the boot virus has become active, and as soon as the user hits enter, the virus completes the destruction it is supposed to do. >: * The user gets a peace of mind and a secure feeling. One does not >: have the feeling of vulnerability between scans, and does not have to >: live in dread of boot viruses. >: >: * There is no need to install frequent updates. Instead, the user >: gets an "Install and Forget" solution. The user saves time and money >: subsequently by not having to update the virus signatures periodically. > A couple of things here. Most users who need peace of mind, are > terrified by false positives. I'm assuming that if your product > detects most viruses that it cannot accurately identify all ofthem. > That would require a) updates in software form for id purposes or b) > constant calls to customer support to clarify false positives which can > come from everyday programs. You raise a good point here. One common criticism against activity monitors like EMD Armor Plus has been that these are prone to giving false alarms, and this creates a temptation to disable the protection altogether. When we designed EMD Armor Plus, we made sure to reduce instances of false alarms to almost zero. EMD Armor Plus has a unique feature called "Immunization with Special Permissions". You can give permissions to programs like compilers, which frequently write to executable files, to proceed without raising false alarms. Similarly, user specified programs like FORMAT, SMARTDRV, utility programs can access hard disks directly. THIS DOES NOT REDUCE THE PROTECTION LEVEL OF THE OVERALL SYSTEM IN ANY WAY. This feature is rather unique to EMD Armor Plus. On the other hand, scanner based software products are not exactly free from false alarms either. One only has to follow the comp.virus and alt.comp.virus newsgroups to get an idea of the chaos and confusion prevailing among users due to the false identification of viruses by the leading scanner based programs. The fact is, scanners nowadays have to rely more and more on heuristic scanning in order to be able to detect the newer sophisticated viruses. As a result the scanners are prone to raising alarms whenever they think the code MIGHT be a virus. > Also, many anti-viral software products are free for general (non-business) > use. The only cost to me is time to get the updates. It is tough to be cheaper than something that is free :-) However, EMD Armor Plus is very competitively priced (in most cases cheaper) when compared to commercial anti-virus software when the cost of periodic updates is included. Even leaving aside the cost factor, in most cases users fall behind the latest updates due to a variety of reasons. That is why we feel that we need to move away from a technology that depends on periodic updates to maintain its effectiveness. > You seem to point to boot sector viruses a lot. Most viruses that I am > aware of are .com/.exe infectors and are much more easily spread by > errant disk swapping because some may go resident. How does your product > fair against them with the varying encrytion/stealth techniques? How about > getting rid of them if I have them? Most a/v software products have some > cleanning feature. Your comment that file infector viruses are more common is indeed correct. However, although relatively small in number, boot viruses are responsible for the majority of virus related disasters, largely because scanner based software products are of limited use against them. Sophisticated viruses employing encryption/stealth techniques do not present any special challenge for EMD Armor Plus. This is because EMD Armor Plus looks for the activities that are typical of viruses, and does not focus on their appearances as scanners do. EMD Armor Plus does come with an utility to clean viruses. However, a few words about cleaning viruses may not be out-of-place here. Not all files that are infected by viruses can be cleaned. The cleaning procedure does not work even for many known viruses. Often times viruses corrupt files to such an extent that the only option is to delete the files and restore them either from a back-up, or the vendors' original installation floppies. THIS IS TRUE FOR ALL CLEANING PROGRAMS. In fact, most experts recommend that a virus infected file be deleted and restored from a back-up even if it is possible to clean it. > Finally, how much does it cost? What are the technical specifics? Has it > been reviewed or tested? In the U.S. it is available for $129.00. Additional discounts are available for site licenses and larger quantities. We also have a special discount program for educational institutions. In other countries you will need to contact the local distributor. Please e-mail me if you do not know who our distributor might be for your country. I can send the full technical specifications to anyone who might be interested. Please e-mail me if you want the information. As regards reviews, EMD Armor Plus was reviewed by the PC Plus magazine in the December, 1994 issue and received a score of 5 out of 5 and was awarded the PC Plus Recommended status. The product was also featured in an article in the Computer Reseller News in May, 1994. > I know I ask a lot of questions, but this is an important part of > computer protection. Thank you for your time. We welcome the inquiries. Since this is a new way of providing comprehensive computer security (not just protection against viruses - EMD Armor Plus has extensive security features as well), there are many questions and concerns in users' minds. All this is understandable, and we welcome the debate. Sujoy Deb, Ph.D. Director EMD Enterprises ** Developers of EMD Armor Plus, the generic solution to computer viruses** 606 Baltimore Ave, Suite 205, Towson, MD 21204, U.S.A. Phone: (410) 583-1575 ext. 4624 Email: emd@access.digex.net (800) 8989-EMD 24 hour fax-back: (410) 583-1575 ext 4, select document 1015 for EMD Armor Plus ------------------------------ Date: Thu, 30 Mar 95 18:59:38 -0500 From: netz@actcom.co.il (Zvi Netiv) Subject: Re: French boot is Russian (PC) bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) wrote: >> It can be removed by InVircible, as well as ALL boot-mbr viruses, >> (and others as well) regardless of their names and whether they are >> known or new. > You are wrong. There are some known boot sector viruses that > InVircible cannot even detect, unless they are not active in memory > (i.e., you boot from a floppy). There are also some infection > techniques (though no virus exists that exploits them yet) that > InVircible will not detect reliably on a floppy, even if the virus is > not resident in memory. What's wrong with being able to clean "only" the many existing boot and mbr viruses? Why scaring the users with infection techniques that no existing virus exploits them yet? If InVircible can handle the existing 6300+ viruses (the figure is from one of your posts) - among them a few hundreds are boot, mbr and multipartite - then I would think it's quite an achievement. The already existing viruses won't go away and it's nice to know there is a product that can take good care of them, before we start worrying about the future ones. :-) Even if a new infection technology emerges as you say, then InVircible, using generic detection and recovery techniques, has the edge on your favorite scanners. No matter what technology a virus uses, it will take from months to years to spread, while adding a new generic technique to InVircible is a matter of hours, and distributing it through the web can take a couple of weeks at the most. Your `new infection technique' is thwarted even before it could start spreading. :-) You will certainly agree that adding a generic technique to InVircible is much more easier than to add a couple of hundred viruses every two months to the scanners and TSR. :-) InVircible is the proactive and anticipative anti-virus protection, while scanners and TSR are on the defensive, lagging behind the virus `production', with a continuously increasing gap. The following example will illustrate how wrong you are. On December 4, 1994, a few hard disks in our military were zapped by a virus identified as Zappa. It's a plain boot-mbr infector that trashes the hard drive on Dec. 4, the day Frank Zappa died, and displays the message "Dedicated to Zappa ... ". All the zapped machines were protected with one of your favorite scanners, BRM's UNVIRUS. BRM's IMMUNE TSR was active on all those machines as well. The virus certainly got there before December 4, since they all booted from their hard drive when they got hit. InVircible recognized Zappa both with passive scanning (yes, IVscan) and IV's proactive generic detection, when active in memory. IV couldn't tell the name of the virus, but removed it alright from both the hard drive and from infected floppies. With InVircible a situation like the above could simply never develop. You wrote many times that users want and ought to know what virus hit them. Fine! In Zappa's case the scanner was as helpful as the Coroner's advice, post mortem, but didn't help much in preventing disaster. > It is indeed a good idea to install some kind of integrity checker that > automatically recovers the boot sectors - DiskSecure II, HS, or even > InVircible (though the latter is less secure in this aspect that the > first two products). You are repeating this error over and over again. For some reason that I ignore you decided that InVircible is an integrity based system across the board. Well, it is NOT! Boot and mbr infections are handled in several ways, most of are generic. An interesting one is cooperative SeeThru, this is the one that was used to remove Russian Flag, or Ekateringurg - as Eugene Kasperski was so kind to tell me. I hope that you'll like "SeeThru" more than "piggybacking", but even if not, I am happy if most users find it descriptive enough to understand. What cooperative SeeThru does is to use the virus' own stealth properties in order to recover the original mbr or boot sector, and reinstate it in spite of whatever technique the virus uses. :-) There isn't a single boot stealth virus that could thwart SeeThru. > Second, most people are asking "how to clean..." *after* their machine > has been infected by a virus, so using an integrity checker is not > very helpful. The integrity checkers are a powerful tool if installed > *before* the virus strikes. Don't tell me that InVircible can > successfully disinfect a hard disk infected with Da'Boys virus, unless > a rescue diskette has been prepared *before* the infection. Please refrain from explaining InVircible's working to the masses if you aren't familiar with how it's functioning. You are misleading the users and being unfair to my product. First, yes, InVircible removes DA'BOYS in a fully generic way, no rescue diskette is needed, not even clean booting is needed. Just run it from the infected drive. :-) I just tried it a minute ago to have my answer right. Secondly, you are implying that InVircible can function only if it has an integrity database established beforehand. It's false! InVircible functions with or without a database. Of course it helps if it has a database established before being hit, the recovery will be much faster and easy (a very good reason to get IV and install it right away :-) ), yet InVircible is very capable in detecting viruses and recovering from them without having any database at all. In many cases the recovery will be as complete as without having a previous installation. In Hemlock's case for example, and with NATAS, Tremor, Goldbug, Da'Boys, Monkey, Newbug, Ekateringurb, Zappa and a long line of others. :-) > But, what strikes me is why boot sector viruses are causing so much > trouble when it is *so* easy to handle them without any anti-virus > products! [ snip ] > You don't need InVircible - or anything else - for it. And > even if your machine gets infected with such a virus, a > write-protected system diskette is usually all you need to disinfect > it. SYS will get rid of the boot sector infectors and FDISK, if you > have a reasonably new version of DOS, will get rid of the MBR > infectors in most cases. In the few cases that remain - such as Monkey > - - a few DEBUG commands would handle it too. Really? I wonder how would you clean Monkey from the master boot sector with DEBUG, when DEBUG is simply UNABLE to access the mbr? Or even an non-encrypted one, like Michelangelo. To the layman it looks as if it's piece of cake if a guru like Bontchev says it's so. If what you wrote was feasible then it would had reflected badly on all anti-virus producers. What's really the big fuss if even Monkey can be removed from the hard disk with DEBUG and a few key strokes? But what you have been doing is misinformation. I suspect you have been overzealous to make your point in dismissing InVircible as trivial, and got carried away. I suppose a retraction from you is due. Regards, Zvi - ------------------------------------------------------------------------- Zvi Netiv, author InVircible NetZ Computing Ltd, Israel Fax +972 3 532 5325 email: netz@actcom.co.il antivir@netcom.com CompuServe `GO InVircible' ftp.datasrv.co.il/pub/usr/netz/ ftp.netcom.com/pub/an/antivir/invircible/ - ------------------------------------------------------------------------- ------------------------------ Date: Thu, 30 Mar 95 19:24:15 -0500 From: CCC1@ix.netcom.com (Christopher Coon) Subject: Re: Yellow vs. White text in F-PROT virus list (PC) kuchan@quark.cig.mot.com (Joseph M. Kuchan) writes: >I've been using F-Prot for some time now, but have never understood >the significance of a virus' name being in white text or yellow text >in the virus information screen. What IS the significance? I just figured it out. One color is the original virus, and the other color represents aliases. ------------------------------ Date: Thu, 30 Mar 95 21:49:22 -0500 From: contekot@inforamp.net Subject: Is Anti CMOS a virus? (PC) Anti CMOS was detect by Norton AntiVirus version 3.0. This message did not show up when test by Central Point AntiVirus for Windows. The PC is working fine. No problem has been report yet. What is Anti COMS mean anyway. Will it damage any file at all? Your advice will be greatly appreciated. Thanks. ------------------------------ Date: Thu, 30 Mar 95 22:19:10 -0500 From: "Lesley Ogden, User Support Services, (803)953-6890" Subject: All experts please read and respond! (PC) I am having what I consider an unusual experience in two of 15 computer laboratories on campus. About two weeks ago, several computers in one of the labs stopped running WordPerfect Presentations and returned an "insufficient memory" error. After examining the computers (486/33 IBM ValuePoints and DEC 486/33s and 486/66s running a mixture of IBM DOS 5.0 and MS-DOS 5.0 attached to a Novell Netware 3.11 network), I found strange things happening in memory (MEM/C) with unidentified programs using approx. 5-6K of memory. In addition, a part of the path was displayed as taking up 14.5K (/R2;/123;). There were also some items being bumped out of upper memory for no apparent reason. Based on these occurrences, I began scanning these computers for a virus with other virus scanning programs (we normally run automatic scans with Intel's VSCAND from the network when each computer boots) and detected a "trace of TEQUILA" in memory using McAfee's VirusScan 2.1.1. After reading up on the tequila virus, I replaced the MBR's on each computer as well as the DOS directory (based on someone else's experiences in the December VIRUS-L postings). After rescanning without error, I was confident that all the computers were "virus-free." Then, less than one week later, all the computers in two different labs began exhibiting similar symptoms (programs not running because of insufficient memory). So, back to the drawing board I went and these are the results of my findings: F-PROT 2.16 (March) and the older January shareware No viruses detected version using Secure and Heuristic scans on the entire hard drive to scan ALL files Intel's VSCAND 2.0 (updated virus data 3/95) No viruses detected Norton's Antivirus (free Michelangelo edition) No viruses detected McAfee's VirusScan 2.20 (beta) and 2.1.5 (current) No viruses detected McAfee's VirusScan 2.1.1 (November 1994) Traces of Tequila virus found in memory* *This only occurred when the computer was booted from the hard drive - a diskette boot comes up clean. Based on McAfee's technical support recommendation, I repeated all the tests with their products using the /clean switch, to no avail, with the newer versions not reporting a virus at all. Under normal circumstances I would automatically assume that I was receiving a false reading from McAfee's VirusScan 2.1.1, but there is no denying that I have a memory problem with computers that have never had problems before (approx. available conventional memory normally after drivers load is 550K - now it's between 350-400K on each computer). Does anyone have any advice? Similar situations? Remedies? Regards, Lesley ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Lesley Ogden User Support Services Manager The Citadel 171 Moultrie Street Charleston, SC 29409 OGDENL@CITADEL.EDU (803) 953-6890 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Lesley Ogden User Support Services Manager The Citadel 171 Moultrie Street Charleston, SC 29409 OGDENL@CITADEL.EDU (803) 953-6890 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ------------------------------ Date: Thu, 30 Mar 95 23:09:01 -0500 From: awitas@ix.netcom.com (Adam Witas) Subject: Desperately need help cleaning DA'BOYS virus!! (PC) I have a very serious problem with a virus called DA'BOYS. Mcafee version 1.5 detects it, but does not clean it. :-C Norton is supposed to clean it, but I don;t have Norton. Does any one have (or know where I can get) a virus cleaner that will kill DA'BOYS virus? Thanks in advance! - -- _______ / / \ \ ___ | () () | ___ ===============////=====| |=====\\\\ Adam Witas ``` \_/ ''' Awitas@ix.netcom.com _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ "It has been determined that research is the leading cause of cancer in lab rats." _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ ------------------------------ Date: Fri, 31 Mar 95 00:20:58 -0500 From: Roberto Parker Subject: Espejo AV (PC) We have developed an AV for espejo. Interested leave an E-Mmail Regrads Roberto Parker ------------------------------ Date: Fri, 31 Mar 95 01:11:45 -0500 From: dond@ix.netcom.com (Don Di Tomasso) Subject: Teletype virus (PC) To All, Has anyone heard of Teletype visrus. This virus showed up at work in a keyboard program disk. It only appeared on computer with PC Central Point for Windows virus protection software. The virus software did not detect the virus. The Teletype message appears on screen only when there is an attempt to access the disk from DOS(or a DOS box).Let me know if you know anything about the virus. Thanks. Sincerely, Don D.(dond@ix.netcom.com) ------------------------------ Date: Fri, 31 Mar 95 01:27:10 -0500 From: Mesmer@ix.netcom.com (John Harrington) Subject: Re: A Known Virus? (PC) solomon2@GRANDE.NM.ORG (Ken Solomon) writes: >A bunch of my friend have been stricken by what appears to be a virus. >I'm curious if anyone out there has seen this before and if so if it >is a virus and if there is a cure? >Symptoms: On boot their computers no longer recognize the hard drive. >(On DOS based machines.) They would appreciate any help. Just happened to a friend of mine, too. All he had to do was reset his CMOS specs for drive C: and everything was back to normal. He now has a Norton's Utilities RESCUE disk next to his computer. Later, he found a couple of programs that seemed to be acting up, so he reinstalled them. He says he scanned his drive with MSAV after he got it back up and running, but if it was caused by some new virus then MSAV may well have missed it. He will scan again tomorrow with F-Prot, but the same cause may render that unable to recognize the virus, too. At any rate, a RESCUE disk will let your friends restore their CMOS. - -- Mesmer John Harrington, C.Ht. 1@2732 WWIVNet Brandon, FL ------------------------------ Date: Thu, 30 Mar 95 13:59:22 -0500 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: In InVircible - A Recent Review - Where to obtain? (PC) Robert C. Casas Ph.D. (casas@netcom.com) writes: > I agree that comparing InVircible to file scanners would be misleading. Comparing the *integrity checker* part of InVircible to known-virus scanners (something that the author of the review being discussed did) definitely *is* misleading. The proper thing to do would be to compare the known-virus detection capabilities of the products being reviewed. The only program with such capabilities in InVircible is IVSCAN. > Comparing InVircible to programs with crc-based integrity checkers such as > Integrity Master would also be misleading. Why?! It is perfectly correct to compare the integrity-based virus detection programs in a product. In InVircible this is IVB, in Integrity Master this is IM. Of course, IM also does known-virus scan; now comparing *that* property with IVB would be misleading. BTW, not all integrity checkers are CRC-based - just many of them are. Virex-PC uses (I think) a proprietary (and insecure) algorithm, so does CPAV - they don't use CRCs. The integrity checker from Dr. Solomon's Anti-Virus Toolkit can use CRC or DES. It doesn't really matter. What it matters is how secure the integrity checker is, how well it detects the different types of viruses (note - types; not particular viruses), and how well it withstands the different attacks that viruses can employ against integrity checkers. > InVircible's integrity _analyzer_ does not use crc-based checking to evaluate > whether files have been infected by a virus. Such checks would generate too > many false positive alarms when used as an AV method. That's one reason > InVircible's IVB program uses its own signature techniques for determining > whether a file has been changed by a _virus_. The above statement is a typical misleading use of buzzwords that all people connected with InVircible seem to like so much. What you call "own signature techniques", actually means that the program uses a set of heuristics to determine whether the detected change has indeed been caused by a virus. Big deal, Untouchable used to do it long time ago. > InVircible analyzes areas of a file most likely to be changed by > viruses. And cheerfully misses others which are less likely to be changed by a virus, but viruses exist that *do* change them nevertheless. > This is a more effective and safe method of finding virus > caused file changes in contrast to benign and legitimate changes, or any > change at all. No. It has nothing to do it effectivity and safety. It is a way to reduce the false alerts that integrity checkers are so prone to. As a trade-off, it introduces a few backdoors, through wich a virus can slip in. Therefore, it actually *reduces* the security, but this is the price of increased usability. > I don't know of any other "integrity analyzer" to compare IVB > (InVircible's integrity analyzer) against. Then your knowledge in this area is rather on the lacking side. Untouchable used to do it years ago, Norton Anti-Virus still does it, some other products do it too - ADInf, for instance. > Your misconception that Paul William's study of antivirus products is a > "total fabrication" is understandable. It sure is. Although, I was inclined more to believe that Mr. William's goof-up was more a result of sincere incompetence than of a malicious fabrication. > F-Prot did not perform as well as > InVircible in this study. This so-called "study" simply compared incomparable things. Appleas with oranges, as Frisk said. They should have compared InVircible's integrity checker with the one in F-Prot Professional. Then IVB might have come up a winner too, but at least it would be honest. Now it is't - it is just misleading the users. > F-Prot is > designed primarily to detect viruses in files - which it does quite well, > in my opinion - but it does not pretend to provide disaster recovery > capabilities, Exactly. It is useless to test a product for a function it doesn't claim to perform. Just mentioning that it doesn't offer that function is enough. > for example, when a user is denied access to their PC as > a result of a boot sector virus. Not sure what you mean, but if it is a virus known to F-Prot, then you are wrong - the scanner can handle the situation. Just use the option /HARD. This is the standard way to proceed when cleaning Monkey, for instance. > If > InVircible were compared to F-Prot in a test of this type then F-Prot > would fail miserably. Only a fool, however, would put F-Prot to such > a test comparison and claim they had performed a valid test. :-) Yep! But that's exactly what the "review" in question did - it compared InVircible's integrity checker with *scanners*! I completely agree with you that only a fool would have done this. :-) OK, I am ready to give Mr. Williams the benefit of the doubt - maybe he's not a fool; maybe he's just incompetent. Ignorance is curable (at least sometimes - then the ignorant person is willing to learn), but this is not the issue here. The issue is that his "review" shouldn't be trusted. > Paul William's study examined more than whether an AV product could detect > viruses in files. That's why InVircible performed more effectively than > other product examined including F-Prot, TBAV, McAfee, Norton, CPAV, > and more. Then Mr. Williams has completely screwed up something. I got several dosens of viruses that were in files and InVircible couldn't detect NOT EVEN A SINGLE ONE OF THEM, while F-Prot, TbScan, and AVP detected them ALL. Since the scanner part of InVircible has such a poor detection rate, it is unable to detect many viruses in the files. The integrity checker part of the product (IVB) is unable to detect viruses in file at all per se - it is only able to detect file modifications - if it has been used to compute a checksum of the uninfected files first. However, when I run it on an already infected file, it happily computes its checksum, without finding any virus at all - while all the good scanners did. I am not claiming that "scanners are better than integrity checkers" - I am just pointing out that such "tests" are meaningless. The two types of products simply do two different things. > William's tests are the first that we know of that were run with > live viruses Then you are again exposing your ignorance. Had you been following the specialized literature in this field, you would have known that many other reviewers have used "live viruses" in their tests. In fact, almost all of them do. Those who don't (e.g., those who use "inactive viruses" or "simulated viruses" or "imasculated viruses" or whatever the buzzword is this week for something that is unable to replicate) do not deserve the name "reviewers of anti-virus products". > and also addressed issues such as false alarm susceptibility, Virus Bulletin's reviews have regularly reported when products cause false alarms. > file recovery capability Secure Computing recently did disinfection tests. You really should pay more attention to what is happening in this dynamic field. > > METHOD OF TESTING > > All tests were conducted with the respective viruses under test being > > inactive in memory. So, he didn't test the scanners' ability to detect viruses in memory. So, it didn't test InVircible's anti-stealth techniques. Too bad. > > Note that if the same tests had been conducted with > > the viruses under consideration being active in memory, the detection > > rates of all the scanners listed (except InVircible 6.01c) would have > > declined sharply due to the difficulties of detecting many members of > > the stealth family of viruses when they are able to cloak their > > activities. This is total nonsense, demonstrating again Mr. Williams' incompetence. All self-respecting scanners (except probably TbScan) would have had absolutely no problem to detect that a virus - stealth or otherwise - is present in memory. TbScan wouldn't have detected them there, but would have detected them on the disk, regardless of their "stealthiness". > > Since InVircible 6.01c is deliberately designed to work in a hostile > > environment (it works by detecting virus activity, as noted earlier), I > > have discovered that Invircible is not tricked by any of the stealth > > viruses I have tried against it up to this point so far, including the > > new polymorphic stealth viruses Republic and Hemlock. How did he discover that if "all tests were conduceted with the respective viruses under test being inactive in memory"?? Maybe he just read InVircible's marketing claims, believed them, and reported them as "test results"? > Only lack of information and research allows you to speculate that the > study was a "fabrication." Admitedly, Mr. Williams didn't do too well to provide enough information about the tests. For instance, when *I* am doing scanner tests, the protocols (the out of the scanners) is always publicly available from our anonymous ftp. > Why don't you contact the reporter who wrote > the _two_ articles. His name is Dwight Silverman. His articles were > originally published in the HOUSTON CHRONICLE, which is located in I am an anti-virus *expert*. I don't get my information about viruses from the journalists, even if they happen to work for the HOUSTON CHRONICLKE or for anything else. I would have contacted the person who had performed the test, if an e-mail was made available. > > As a *scanner*, Invircible is bad...very bad...down at the bottom, together > > with MSAV. However, Invircible is not primarily a scanner ... and it > > should IMHO be compared to other similar programs, not to a totally > > different set of programs. > I do not totally agree with either of your points. I, however, totally agree with both of them. > Let me respond to > the second. How about the first? After all, IVSCAN's known-virus detection rate *is* miserably low. > The issue faced by any antivirus product is whether it can > detect when your PC or network has been affected by a virus, _and_ assist > you in recovering and restoring your system to operational status. It Frisk said that the review compared apples with oranges. Your response is equivalent to "the issue is that they are all fruits and whether they are able to feed a person". > matters little _how_ this is achieved. It only matters whether the AV > product can successfully accomplish this end. The purpose of an antivirus > product is not solely to detect viruses in files even though this is > certainly a legitimate goal. This does contain a grain of truth, but is not entirely correct. You see, the purpose of the scanners is to detect *known* viruses. This is why the proper way to test them is run them on a virus collection and see how many viruses they can detect and recognize. As opposed to that, programs like integrity checkers and behaviour blockers are *generic* anti-virus programs. Their goal is *not* to detect specific viruses - that's why it doesn't make sense to test them against a virus collection (as Mr. Williams obviously did). Those programs are designed to protect against virus *types*. That's why, they have to be tested against the different attacks that viruses can employ against such kinds of protection. The possible attacks against integrity checkers are listed in a paper of mine, which is available via anonymous ftp: ftp://ftp.informatik.uni-hamburg.de/pub/virus/texts/viruses/attacks.zip The possible attacks against behaviour blockers will be listed in my Ph.D. thesis. They are mostly tunnelling. Therefore, the proper way to test an integrity checker is to create a program that would implement all the attacks described in my paper and see whether the integrity checker withstands them. (As a matter of fact, InVircible's integrity checker IVB fails to protect against almost any of them.) Similarly, the proper way to test a behaviour blocker is to implement different kinds of tunnelling and see whether the blocker can stop them. Of course, there is one more test that has to be made - one of usability. One has to install the behaviour blocker on their system and see for how long one would be able to perform one's usual work without being disturbed by the product. > A proper test, therefore, does not compare scanners to other scanners. A Just the opposite. A proper test compares scanner to scanners, integrity checkers to integrity checkers, behaviour blockers to behaviour blockers, and so on. > The typical focus on how many viruses an antivirus package detects is > misguided because it is myopic in its presumptive conceptual basis. It's > myopic because detection is _only one_ aspect of AV protection. Restoration > and recovery of a system are equally important. This is true. However, scanning *is* an important issue and *has* to be tested - because so many users rely on it. Whether they are right or wrong could be argued (I tend to agree that they are wrong), but the need *does* exist. And the proper way to test a scanner is to compare it with other *scanners* and see how well it detects known viruses - not to compare it with integrity checkers. > The difficulties involved in performing valid AV package comparisons are > not as insurmountable as some people would have us believe. It would not They are so big only if you want to perform a *good* and thorough test. A bad and incompetent test (like the one that Mr. Williams did) can indeed be done very quickly. > take "years and years", as some people claim. To perform a valid test of > the _end results_ (detection, restoration, and recovery ) achieved by > different software packages revolves around one central issue: sampling. Oh yeah? OK, I took a simple companion virus - let's say AIDS. IVB failed to detect the fact that the virus infected some files. The scanner (IVSCAN) failed to detect the virus too. So, one must concluding, by using this "sample" that InVircible doesn't detect viruses at all, right? > An experiment's validity ( both internal and external ) is, in large part, > a function of proper sampling methodology. Sampling properly, however, is > not restricted to just the number and kinds of viruses involved. So tell us, what does this "proper sampling" consists in? > An equally important aspect of sampling involves utilizing all of the > available methods a software package has for performing a basic function. > For example, InVircible has _6_ distinct methods for _capturing_ a virus. All of them failed to detect a simple companion virus. Should we therefore agree that all the 6 of them are useless for virus detection? FYI, F-Prot (and almost any other scanner) detected it. > IVSCAN can be used to detect a limited number of common viruses in files > but many more in memory or in boot sectors. Too limited, that's the problem with it. > IVB - the integrity analyzer - > can also be used to detect the presence of very many more viruses in files. Wrong. IVB is COMPLETELY UNABLE to detect viruses in files. It can only detect the fact that a file that has been checksummed when clean, has become infected - and even this it is unable to do properly in many, many cases. > ResQdisk > can be used to detect viruses in the partition and boot sector very reliably. I'm afraid that ResQdisk hasn't heard the term "hardware-level stealth" and hasn't been aquainted with the Strange virus. > IVX - the "hyper correlator" - can be used to detect new and unscannable > viruses in files when given a virus sample to use, which is typically > achieved through IVINIT or IVTEST. Another silly buzzword, obviously intended to impress the ignorant user. What you call a "hyper corelator" is essentially doing automatic scan string extraction, by comparing several files that are supposed to be infected by one and the same virus and comparing the code near their entry point. Other products - like Victor Charlie and TbScan (the registered version only) have been doing it for years, without the hype that you use to promote your product. IBM is using this method (on a *much* more scientific basis than you) internally to speed up their work on updating their scanner - they understand that this technology is too unreliable to be given in the hands of the end user and should be used only by the experts who are able to interpret its results properly. Oh, yes, and, needless to say, your so-called "hyper corelator" fails miserably when dealing with a polymorphic virus. I did some tests with an MtE-based virus and it failed to detect *any* other instance of the virus (but gave one false positive on a perfectly innocent file). > IVTEST can be used as a non-resident > method of reliably capturing memory resident viruses of all types, boot > and mbr infectors, and what's even more important - sampling live viruses > for use by IVX. It does this by creating and executing COM and EXE goat files with a name consisting of 8 random alpha-numeric characters. Any virus which avoids infecting files with such names (e.g., one that infects only files with shorter names) will evade it. A virus that is particularly picky about the size of its victims (e.g., iunfects only large EXE files) will evade it too. > IVINIT can be used to capture boot sector/partition viruses > and memory resident viruses of all types. Not all types. Remember Strange. > Finally, IVSCAN, IVB and IVX ( the scanning modules of InVircible ) will > all capture the activity of fast file infectors, _before_ they have the > chance to infect any significant number of files, alert the user, and halt > the process. Haven't tested this, but I am pretty sure that this won't work against a fast-infecting companion virus - for the simple reason that your product doesn't seem to detect companion viruses at all. > Can F-Prot do this with a _new_ fast infector such as Hemlock > active in memory? You and I both know that it can not. I am not familiar with Hemlock (although I do have it), but in many cases F-Prot will detect the problem - because such a virus active in memory will almost certainly infect it and F-Prot's slef-checking capabilities are rather good. > F-Prot > lacks the _generic_ capability to detect and halt fast file infectors. > It can only do this with known viruses already in its database. Of course - that's what it has been designed for! F-Prot is a scanner, in case you (or Mr. Williams) haven't noticed. > By contrast, using _generic_ ( non-virus specific ) methods InVircible's > programs capture HEMLOCK, alert the user to the process, and abort > the scan ( IVB, IVSCAN, IVX ). Whose "detection" is better in such cases > and how do you quantify the above differences? :-) Using _generic_ virus attacks works quite well against generic anti-virus programs. Companion infection is one such attack. InVircible totally fails to prevent it. There are other such attacks - read my paper - and InVircible fails to prevent many of them. > I should mention InVircible's modules performed this way with HEMLOCK > even before we knew the virus existed. This _generic_ ability is designed > into InVircible. No, it is designed into IVB - the integrity checker part of InVircible. That's why this part of the product has to be compared with other generic products - like Integrity Master, or the integrity checker in TBAV. Comparing it with a scanner (F-Prot) is totally devoted of common sense. > Maybe F-Prot will be able to perform this way once you have > analyzed HEMLOCK and included it in F-Prot's database. In your next update, > perhaps? :-) Of course. That's the way scanners work. And I can bet you that F-Prot's update will reach most users *before* the Hemlock virus has had the chance to infect their machines. > Since InVircible's programs use primarily generic methods these abilities > won't need to be updated until an new _class_ of viruses is created. Problem is, several _classes_ of viruses that remain undetected by any of InVircible's programs ALREADY EXIST! > The situation is entirely different with other AV packages which need to be > updated when new viruses are released. Agreed. That's why such packages must not be tested together with the generic virus detection methods of InVircible - only together with its virus-specific detection methods, which are, unfortunately, miserable for your product. > While user's wait for the updates > they may be helpless against the new viruses. Wrong. Scanner updates spread *much* faster than any virus. > It would appear that your'e quite right, it would be a poor "test" indeed > if InVircible's virus _detection_ capability were evaluated using IVSCAN > alone. True. However, it *is* correct to test IVSCAN's known-virus detection capabilities with the known-virus detection capabilities of other products. > Most prior antivirus software comparisons have focused on differences > between file scanners because this is quite easy to do. Yep. > However,this is a > bad way to test the effectiveness of an antivirus package in restoring a > PC or network to operational status after it has been infected. This is a > critical issue for a very practical reason. Unfortunately, a good and more complete test is so difficult as to be prohibitive - so we're left with the choice of either not to do it, or to do it badly. I have decided not to do something that I am unable to do right. Obviously, Mr. Williams has decided otherwise. > Specifically, even though there are excellent file scanners available - I > believe F-Prot is one of the best, and Zvi keeps repeating this, too - In my tests AVP performs slightly better. > PC's and networks continue to be infected. Even PC's and networks in which > F-Prot is used. My experience is quite the opposite. In most infections that I have witnessed in the past six years of my experience with computer viruses, people were either suing an ineffective scanner (e.g., MSAV, or an archaic version of SCAN) or no anti-virus protection at all. > It matters little whether the failure to prevent the > infection was due to operator error, i.e., the scanner wasn't used, or > whether it was due to the product's own limitations. The fact remains that > infections occur. Yep that's true, but largely irrelevant. The write protection tab on a floppy can stop *any* virus, if it working properly - yet viruses keep spreading via floppies. Setting the machine to boot from drive C: first would stop *any* boot or master boot only infector - yet people keep getting infected most by exactly this kind of viruses. > Therefore, AV packages, like InVircible, which have superb > system disaster recovery tools ( ResQdisk, and IVSCAN, by the way ) are > needed and essential. If you are right and InVircible was the solution of the problem, why do people keep getting infected?! > Earlier you stated that IVSCAN was a "very bad" scanner. I suppose when it > is compared to F-Prot's scanning _detection_ ability this is true. However, Yep, it is. > IVSCAN has many "detection" capacities that F-Prot lacks. This is also correct. However, there are products that implement integrity checking better than the other "detection parts" of InVircible too. Ever seen Untouchable? > The first is the > ability to _capture_ new and yet unknown memory resident infectors, fast > file infectors, even _active_ stealth boot or mbr infectors using generic > methods. We are talking about the ability to *detect* viruses. The ability to "capture" them is irrelevant, if you can't detect them in the first place. > The second is that it can use a stealth virus's own properties in a > cooperative manner to _recover_ from boot/mbr infections, and to _restore_ > files to their original status while the virus is live and in memory. Many other integrity checkers do that too - many of them do it much better than InVircible too. So what? How is this relevant to the points being discussed - that Mr. Williams' "review" was incompetent and that IVSCAN's known-virus detection rate is miserably low? > I'm referring to the "virus interrogation" and "inverse piggybacking" > techniques described in IV's manual.txt and online hypertext. Buzzwords. You mean anti-stealth techniques. TBAV, VDS, Untouchable, and now FindVirus have been doing it for ages. It certainly helps, but it is not possible to implement it in a way that is both 100% secure and reliably portable on all platforms. > the InVircible package. In situations where F-Prot would (and did) infect > an entire system during a scan - i.e., the new HEMLOCK virus - IVSCAN > would _alert the user_ to its presence and it could even capitalize on its > stealth property to restore virus altered files. From this perspective > IVSCAN is not bad. :-) But IVSCAN - or any other part of InVircible - failed to detect even a trivial companion virus. For a generic virus detection program this is *too* bad. > Rather, it is, quite literally, unique and quite > valuable when used properly. :-) Unique it certainly isn't. You are demonstrating your ignorance again. There are several other products that do such things. You really ought to look closely at your competitors' products, instead of mindlessly bashing them. > > Any decent integrity checker should get a 100% detection rate, and 0% false > > positives.....provided that you install them first, before your machine > > gets infected. > Well, I can see your standards are quite high. :-) I would settle for 99%, > myself, _if_ the software _suite_ had multiple and partially redundant > mechanisms to perform the same function. Presumably the non-overlapping > areas of function would insure that at least 99.9% of the changes could > be detected. :-) Fortunately, the InVircible package is designed this > way and users can therefore be assured that when one tool fails they have > several more to use, as well. This is complete, total, and utter rubbish. As I stated, no part of InVircible was able to detect a simple, trivial companion virus. I can easily write a program that would produce 10 billions such viruses - neither of which will be detected. This will make the detection rate drop to whatever low number I want. And, since there are a few hundreds of companion viruses already in existence, this means that InVircible *already* necessarily performs much worse than any simple scanner like AVP that has a high known-virus detection rate (AVP scores more than 99%). > I know that Paul Williams is aware of this aspect of InVircible. Perhaps His awareness certainly didn't show in his so-called "review". > this is why he concluded that InVircible had a 100% virus detection rate, > a 0% false alarm rate, and an "amazing" ability to recover and restore an > infected PC using the 4000+ viruses he examined. :-) Perhaps adding a new So, I guess, he failed to include even a single companion virus in his collection?! My, my, I get further and further convinced in his utter incompetence regarding viruses and anti-virus matters. > restoration to 99.9%. Even if this happened, there is no doubt in my mind > that InVircible would still perform more effectively, overall ( detection, > recovery, restoration), than any other product on the market. :-) Well, you are wrong. It wouldn't. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ End of VIRUS-L Digest [Volume 8 Issue 32] *****************************************