VIRUS-L Digest Wednesday, 19 Apr 1995 Volume 8 : Issue 37 Today's Topics: Re: Write-protect media Re: viruses in binaries? Re: Be careful what you write ? Was Q: Neuville (All) Try out Norton Anti-Virus for free! (PC) My Little Pony (PC) Re: Need Info about viruses? Get VSUM... (PC) Re: French boot virus is Russian (PC) Re: Monkey B virus (PC) Re: Disinfecting ANTIEXE virus (PC) Re: FDISK /MBR ?? - virus.txt [1/1] (PC) Re: Virus that screws up WFWG 32-bit disk access? (PC) Re: Noint Virus? (PC) Re: Looking for information (PC) Re: Can this HardDisk be saved? (PC) Re: Help - Virus on Diskless PC (PC) Re: Virus check (Newbie) (PC) Re: Quox Virus (PC) Re: Omnicron PT Virus (PC) Re: Windows 95 (PC) Re: Strange Request (PC) Re: Undetectable stealth viruses (PC) Re: die hard 2 virus - help! (PC) RE: WIN95 AV Software (PC) Re: **Deperate for help!!!!!** Please read! (PC) Re: Is Anti CMOS a virus? (PC) Re: Desperately need help cleaning DA'BOYS virus!! (PC) Re: All experts please read and respond! (PC) RE: Windows 95 (PC) RE: Re: Help with the stoned virus (PC) Re: /\/\ Can't get that Stupid Stealth_C virus off!! /\/\ (PC) Re: Caution: Some copies IBM's Disk Mgr 6.0.3 may be infected. (PC) Re: Virus that screws up WFWG 32-bit disk access? (PC) Re: Hardware Virus Protection - EMD Armor Plus (PC) Die Hard 2 (DH2) Virus (PC) Re: Help: GNEB Virus (PC) RE: Re: Virus that screws up WFWG 32-bit disk access? (PC) Re: Remove stealth virus - it's easy (PC) Form Virus (PC) Macafee 2.20 (PC) Re: Norton Anti-virus updates? (PC) InVircible is a Trojan Horse! (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CORSA.UCR.EDU (IP number 138.23.166.133) or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CORSA.UCR.EDU. Administrative mail (e.g., comments, suggestions, beer recipes) should be sent to me at: krvw@ASSIST.MIL. All submissions should be sent to: VIRUS-L@Lehigh.edu. Ken van Wyk ---------------------------------------------------------------------- Date: Tue, 11 Apr 95 09:36:47 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Write-protect media Don Di Tomasso (dond@ix.netcom.com) writes: > Do some viruses affect write-protect disks? Is that possible? The short answer is: NO. For a longer and more detailled answer, see the FAQ for Virus-L/comp.virus; question D8. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 11 Apr 95 09:41:02 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: viruses in binaries? Frank Sofsky (sofsky@midget.towson.edu) writes: > There has been so much debate on whether or not a virus can come > from a binary picture file; I have read so many times that viruses can > only come from execute and command files; does anyone really have > the correct answer to this? The correct answer to this depends largely on your definition of "come from". If by "come from" you mean "Can I my machine become infected with a computer virus when I am viewing a binary picture obtained from a dubious source?", then the answer is "No.". If by "come from" you mean "Can I use a binary picture to transfer a computer virus, like I can use PKZIP to transfer an infected file?", then the answer is "Yes, it depends on the particular kind of picture - can be done with GIFs but not with JPEGs - and the recepient must extract the virus from the picture to an executable file and run this file, in order to get infected." You cannot force him/her to do the latter against his/her will. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 11 Apr 95 11:34:23 -0400 From: swidlake@rl.ac.uk (S Widlake) Subject: Re: Be careful what you write ? Was Q: Neuville (All) Israel Kay <100112.2001@compuserve.com> writes: [Munch - "It was their fault..." statement deleted.] >Please watch your accusations. You make seriuos ones. You have not >convinced me that IBM is at fault here. >Please remember that this is a public conference. If you are wrong, >you can possibly be held legally liable for making such comments. What? This is a joke isn't it - April 10th. (nine days off) maybe not. I didn't think it was slander or liable (What do the .US o'A folks have?) I think you're reading way too much into this. You'd have to go to extreme lengths to upset someone, or some company, in (probably) a different country, enough to somehow get you into their country to "do you" for it, and what, or who's, law would they use... this could get interresting esp. with the .NET being un-regulated. So how far would you have to go? Dell PC's are absoulute total C... enough? (And I can back it up) There again this is a moderated news group, so it's his fault ;-) [Other good stuff (including the "add.", not so good) - deleted.] S. - - -- sig II Still Under Construction ... ------------------------------ Date: Tue, 11 Apr 95 04:14:26 -0400 From: datadec@cs.UCR.EDU (Kevin Marcus) Subject: Try out Norton Anti-Virus for free! (PC) Symantec is now offering a test version of NAV 3.0 for DOS to individual users. This version includes full virus detection of the standard product. It also has the ability to clean any boot sector viruses you might detect. File viruses are not repaired; the complete version of NAV must be purchased for $49.95 + shipping (order forms are created from a separate program should you need this). The trial version should be combined with the updates which are also available. Both the monthly updates as well as the NAV special edition are available for anonymous ftp from: ftp://cs.ucr.edu/pub/anti-virus-utils or ftp://ftp.symantec.com/public/dos/nav The special edition NAV is called, "NAVSCN.EXE". The current updates (April) are entitled, "30A18B.ZIP" as of the posting date on this message. - -- Kevin Marcus, CS Dept, U/CA, Riverside: datadec@cs.ucr.edu Norton AntiVirus Research: Kevin_Marcus_at_SYM-SM@symantec.com Virus-L archives: ftp://cs.ucr.edu/pub/virus-l ------------------------------ Date: Tue, 11 Apr 95 08:10:07 -0400 From: vangogh@freenet.hut.fi (Marko korhonen) Subject: My Little Pony (PC) I have only one question. Does anybody know nothing about virus called "My little pony" - it seems that this virus destroys files randomly etc... Ok. other question : How to get rid of it. vangogh@freenet.hut.fi (Please, use this address for replay) - -- ------------------------------ Date: Tue, 11 Apr 95 08:26:18 -0400 From: swidlake@rl.ac.uk (S Widlake) Subject: Re: Need Info about viruses? Get VSUM... (PC) frisk@complex.is (Fridrik Skulason) writes: >looksoft@globalx.net (R. Livingstone) writes: >>more about a particular virus. May I suggest to get VSUM from Patricia M. >>Hoffman (BBS:1-408-244-0814). >You may, but it is not a very good suggestion. >>She works hard to bring more information about viruses >unfortunately, the number of errors in VSUM is huge....I recommend staying >away from the package. >Also, Patty never seems to respond to any corrections sent to her...I have >been trying to tell her for several years that the "RAM virus" description >is just one big error, but as far as I know it is still in there. Well that's not too much of a surprise in this case. The "RAM virus" appears to be a "copyright virus" - if anyone is foolish enough to include this "virus" in their package then the information must have been copied directly from VSUM ;-( Anyway... this "virus" is not in itself a virus - it would appear to be a combination of two (well known) viruses and may have started out as a (big) mistake (one of many) in VSUM but then left in, intentionally. >Also, the information on how to disinfect is usually incorrect, the names >are wrong, virus sizes are inaccurate, her diagrams of relationships are a >joke etc... All true... also (last time I looked) the certifications lean very heavily in favour of one .US product which seems to get the latest version certified whereas all the others are a couple - or more! - months old. Unfair... unfair... but they did say a thing or three about MSAV and CPAV ie. Avoid... avoid... >I consider VSUM a waste of time..... Seconded. The best (anti-) virus info. is IMHO in old copies of Dr. Solomon's AVTK - a couple of pages on each virus - unfortunately these old manuals aren't too good for the newer viruses but we don't get too many of them. By "old", I mean a couple of versions ago. The on-line help in the AVTK should be good enough for most people, though, and the same goes for F-Prot... I particularly like the info. on ANTIEXE (now that it's been fixed) in ver. 2.16D, that's a D ;-) S. - - -- sig II Still Under Construction ... ------------------------------ Date: Tue, 11 Apr 95 08:46:07 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: French boot virus is Russian (PC) Robert Casas (rc.casas@ix.netcom.com) writes: > > products! Just configure your CMOS to instruct the BIOS to boot from > > the hard disk, instead from the floppy drive et voila - you have > > stopped all boot/MBR viruses. > This is so typical of traditional AV thinking. The answer to virus problems > is to _decrease_ the functionality of your PC. HUH?! Could you please explain us how instructing your BIOS to try to boot from the hard disk first _decreases_ the functionality of your PC?? Let's see: First, it gets rid of all possible boot and master boot sector viruses, in the sense that they can't infect your PC any more (file infectors and multi-partite viruses still can). Second, it eliminates the searching for a floppy in drive A: - a relatively slow operation - and therefore speeds up the boot process. Third, if the hard disk becomes inaccessible to the BIOS, the computer will still boot from a floppy. Only if the hard disk remains accessible to the BIOS but becomes non-bootable for some reason will the boot process hang - but then all you need is to reboot the machine, enter the CMOS configuration program again, and tell the BIOS to boot from a floppy. As easy as that. Looks pretty much like _increasing_ the functionality of your PC to me... > > infectors in most cases. In the few cases that remain - such as Monkey > > - - a few DEBUG commands would handle it too. Starship might cause some > > problems for automated removal, but with FDISK and a little bit of > > thinking it should be possible to do it. > This all sounds very complicated to me, Vesselin. :-) I know I prefer the > _simple_ elegance of the ResQdisk program that is part of the InVircible > antivirus software suite. A few hotkeys is all you need to learn. There is Oh, I see. You prefer simpler solutions. Why, you have a point. Nice argument, thanks. I'll use it against you in another message. :-) Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 11 Apr 95 08:55:57 -0400 From: Scott Clem Subject: Re: Monkey B virus (PC) > From: rmcghee@freenet.vcu.edu > would no longer boot. She took it to another guy who > reformatted the hard drive and ran FDISK at least 15 time > trying to get it. I tried using scan /clean, killmonk.exe, and > xmonkey.exe to fix the boot sector. None of them will work. > All data has been lost on the machine so if there is a way to > totally wipe everything let me know please. The FDISK /MBR I've had success with both Clean, Kill Monkey, and Norton Disk Doctor in removing various strains of the Monkey virus. I suspect the disk your formatting the drive with has a virus or the DOS disks your re-installing to the drive are infected. You need to scan ALL of your disks before re-inserting them into the drive. Good Luck! Scott ------------------------------ Date: Tue, 11 Apr 95 08:58:05 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Disinfecting ANTIEXE virus (PC) Robert Casas (rc.casas@ix.netcom.com) writes: [sorry about the long quote that follows] > Describing safe computing practices is a bit much to describe in a brief > note. Cleaning up an MBR infected by AntiEXE is very simple with version > 6.01D of InVircible. Please read the manual.txt in the InVircible 6.01D > archive for many suggestions on safe computing practices. > Download a copy of InVircible 6.01D from Compuserve ( Go INVIRCIBLE, and > download the file INVB60.ZIP from the InVircible file library) or ftp to: > pyro.slip.ais.net/crypto/invircible/invb601D.zip. > Use ResQdisk.exe from the archive. > Please run RESQDISK. Is the SeeThru ON? Toggle it ON/OFF with the F9 key > Does the image change? If it does, you have a boot sector virus. > Browse now with the down arrow to sector 13. Can you read what you see > there? If you see the string "missing operating system", your in good > shape. Please press ^E then ^R. Is there a red diamond at top right? > Now press Home. You should read that you are now on sector 0,0,1. Make > sure SeeThru is ON (F9). Now press ^E and ^W. Did the image change? Do you > see now the "missing ... " label in the middle of the window? You have > just copied your actual MBR back to where it belongs. Reboot your > system using the reset key. Don't run anything else. WOW! And I thought that you liked *simple* solutions! I hope you don't call the above a simple solution, do you? For instance, removing the same virus (AntiEXE) with F-Prot 2.17 looks like that: f-prot /hard /disinf Looks much simpler, doesn't it? What, you want even simpler? Then try booting from DOS 5.0 or above, and execute the command fdisk /mbr This will disinfect this particular virus (AntiEXE). Nevertheless, I would recommend the F-Prot approach, because there might be other viruses there. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 11 Apr 95 09:00:14 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: FDISK /MBR ?? - virus.txt [1/1] (PC) ong k.h. (maverick@einstein.technet.sg) writes: > a. How does FDisk/MBR works for MS-DOS 5 & above ? It contains a copy of the program that is normally found at the beginning of the MBR. The option /MBR instructs FDISK to write this program onto the beginning of the MBR of the first physical hard disk, without modifying the data part (i.e., the partition table). > Does DOS keep a copy of the original partition > table ? No. But FDISK keeps a copy of the original *program* in the MBR. > b. If I have two hard disks and the slave hard disk > partition table is infected with Boot sector virus, > Is there any risk since it is not active ? No. However, if you happen to mount this second (infected) hard disk as your first one, the virus will receive control - so it is better to remove it from there, just in case. > can I clean it using FDISK/MBR ? No, not with FDISK that comes with DOS. I have heard that FDISK that comes with OS/2 has the option to do the /MBR trick on the second hard disk, but I am not using OS/2 myself, so my knowledge about it is rather limited. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 11 Apr 95 09:02:23 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Virus that screws up WFWG 32-bit disk access? (PC) Tina Tindall (tinat@uidaho.edu) writes: > - -> "The Microsoft Windows 32-bit disk driver (WDCTRL) cannot be loaded. > - -> There is unrecognized disk software installed on this computer. > When I get this message, its about a 99.9% chance I've got the NewBug/AntiEXE > virus back on my computer No, this message is not specifically related to the AntiEXE virus. However, when you suddenly see this message, it is a good indication that you've probably got a boot or a marster boot sector virus. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 11 Apr 95 09:07:47 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Noint Virus? (PC) Scot Wolfington (scotwolf@southwind.net) writes: > I received a disk that had several files on it that also included the > Noint virus. Before I found this out I had copied a few of these > files to my hard drive. Once I was told that the disk had the virus I > ran MS Anti-Virus which showed the virus on the floppy disk but did > not show anything on the hard drive. Should I worry about my hard > drive? No. This virus infects only the boot sectors of the floppies and the master boot record of the hard disk. The only way to get infected by it is to forget an infectable diskette in drive A: while you are booting your computer (provided that it is configured to boot from drive A: - configure it to boot from drive C: instead, if you can, and you'll avoid this threat). Just copying some files from an infected diskette cannot infect your hard disk. BTW, your question is answered in the Virus-L FAQ; question E12. Read the FAQ; it's a very instructive document. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 11 Apr 95 09:11:59 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Looking for information (PC) afrayer@siesta.Packet.Net (afrayer@siesta.Packet.Net) writes: > First question: Is there someplace where we should routinely report > detected viruses for statistical purposes, or should we keep such > encounters to ourselves? There isn't any such "official" place. However, most anti-virus researchers will be grateful for any reliable virus infection reports. Try reporting the problem to the producer of the anti-virus software you are using. If you are in the USA, you might also report it to the NCSA - I've misplaced their contact address, but have heard that they have a strong presence on CompuServe. > Second question: VSCAND reported this new, boot sector virus to be > called "NewBug". I have Pamela Kane's handbook and have searched the > appendix for a listing on this virus with no success. Given the name, I > wonder if the Intel product gives this name to any virus it has not > previously encountered. No. This is the name that it uses for a virus more commonly known as AntiEXE. > If so, any suggestions on how I can identify > the virus? Run one of the scanners that can perform exact identification of the viruses they can detect. The best in this aspect is FindVirus from Dr. Solomon's Anti-Virus Toolkit, but that's a commercial product and, in my experience, the people who are asking questions here usually prefer shareware/freeware. If this is also your case, try F-Prot (freeware for individial use) or AVP (shareware). Both products will perform exact identification on this particular virus. > If not, where can I get info on this virus? The AntiEXE virus is described in CARObase. You can get the latter from ftp://ftp.informatik.uni-hamburg.de/pub/virus/texts/carobase/carobase.zip Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 11 Apr 95 09:21:05 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Can this HardDisk be saved? (PC) Frank Bax (fbax@bosshog.arts.uwo.ca) writes: > A friend asked me to look at two computers which he said were infected > with Monkey virus. The first machine he cleaned with F-PROT and > needed help with installing VIRSTOP. He said that F-PROT reported the > virus in several EXE files on the second system. No way; this virus does not infect EXE files. My guess is that your friend has seen VirStop reporting the virus in *memory* - which means that he has not booted from a clean floppy when doing the disinfection and that his disk was immediately re-infected. > I understand this is > a boot sector virus, which means he shouldn't find it in an EXE, but You are right. > When I boot from a clean floppy and enter c: the system > responds with "invalid drive specification. This is pretty natural for a Monkey infection. > When I run fidk from this > floppy, and ask todi splay info about hard disk, the first line > indicates a non-DOS partition. The screen is somewhat garbled over > the ext nfew lines but SEEMS to indicate 3 other partitions. Right; the reason is that the virus has overwritten the whole MBR (including the partition table). That's why the information about the partitions is bogus and you can't access the hard disk after booting from a floppy. Why you can't boot from the hard disk is another question - probably the reason is that the virus is damaged somehow. Did you or your friend run FDISK/MBR? This MUST NOT be done when the disk is infected by this particular virus, otherwise you risk to find yourself in the situation you are describing. > Is it possible to recover from this? Yes, but not easily. > If so, how do I proceed? See another message of mine in which I am describing how to use DEBUG (comes with DOS) to remove a Monkey infection to another person who does not seem to know much about viruses. > Several posts have mentioned fdisk /mbr - with the assumption that > readers would know what's going on; my system has no doc on this > option to fdisk. What exactly does it do? It overwrites the program part only of the MBR with a known clean copy that FDISK carries within itself, without trying to modify the data part of the MBR (i.e., the partition table). You MUST NOT do this in the case of a Monkey infection, or you won't be able to access the hard disk. As a rule of thumb, before running FDISK/MBR *ALWAYS* try to access the hard disk (e.g., "DIR C:"). If you cannot access it (e.g., "Invalid drive C:"), DO NOT RUN FDISK/MBR!!! Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 11 Apr 95 09:25:23 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Help - Virus on Diskless PC (PC) Trung Nguyen Business Fact (trung@yallara.cs.rmit.EDU.AU) writes: > The PC is a 286 with a 1.44mb floppy. It has no hard drive. If l boot up with > clean floppy (write protected) and run McAfee Scan version 2.1.4 it finds a > virus in memory. If l switch the pc off and on again (cold boot) it still find > a virus. However, the virus name changes every time l run Scan. For example it > has used names like, SPAWN, FORM-A, NO FRILLS.DUDLEY and various others. The > floppy is 100% ok. l've tried removing the battery and then resetting the > PC BIOS with no success. What is my problem? What can l do? Your problem is in using McAfee's SCAN version 2.1.4. This is a very bad program, with a low detection rate and a high rate of false positives. If you must use McAfee's SCAN, at least upgrade to a newer version - I believe that 2.20 is the latest one. An even better idea is to switch to a better product. I would recommend F-Prot or AVP. So, to summarize, you don't have a virus. Your problem is caused by a bad anti-virus program. Throw it away. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 11 Apr 95 09:27:35 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Virus check (Newbie) (PC) Brad Cauthers (bcauther@uoguelph.ca) writes: > Hey there. I was wondering if anyone out there would happen to know > where I could find a reliable virus checker on the internet for an IBM > compatible PC. You can find plenty of them on oak.oakland.edu, directory /SimTel/msdos/virus/. I recommend you to try F-Prot or AVP. > I've just had to reformat my hard drive, and I don't feel > like doing it again. It is *never* necessary to reformat your hard drive, in order to remove a virus. In some cases you have to reformat it in order to get rid of the damage caused by the virus, but even this can be usually avoided. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 11 Apr 95 09:31:56 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Quox Virus (PC) Offline Testing Account (offline@calvin.stemnet.nf.ca) writes: > The computers at my school have all become infected with a virus that is > identified by TBAV as the QUOX virus. I was curious as to he effects of this > virus since TBAV has insufficient documentation on it. The CARObase project contains the descriptions of a few viruses (about a hundred), including of this one. You can get all CARObase entries from our anonymous ftp site: ftp://ftp.infromatik.uni-hamburg.de/pub/virus/texts/carobase/carobase.zip Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 11 Apr 95 09:34:12 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Omnicron PT Virus (PC) Peter Firla (pfirla@feldspar.com) writes: > I am looking for any information I can get about the Omnicron > Virus. It seems to be a new one, as most Virus scanners around > don't seem to have any information about it. This is an alternative name for a rather old and well-known viruse, called Flip. Try looking for it under this name. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 11 Apr 95 09:44:18 -0400 From: jfl@hobbes.cca.rockwell.com (Joe Lawrence) Subject: Re: Windows 95 (PC) steven.hoke@expressl.com (Steven Hoke) says: >Since the ordering numbers were just released for the Windows 95 >preview, this sounds like a good time to ask. Are there any specific >problems associated with AV utilities and Windows 95, such as >disinfecting a file that has a long file name? What about problems >removing MBR infections? I seem to recall a message saying that there >would be an update for McAfee's SCAN that dealt with Win95 >compatibility, but are there really any specific problems between Win95 >and scanners and virus removers (I understand that its always better to >replace the file from archive copy if possible, rather than to disinfect >it). There can be several problems with Windows 95 and antivirus products. Most of them are related to the long file names which none of the current tools can handle yet. None of them are particularly serious. In general, the current AV utilities will disinfect the file under its short name and will ignore the long names. This will cause no problem. If however, the utility *deletes* the file the long file name will remain and will have to be removed using Windows 95. MBR cleanup should not be a problem since Windows 95 doesn't do anything to the existing MBR or the boot record. If you already have a clean write-protected boot floppy with your favorite AV utility on it, you can use it. Just remember to delete any files in Windows that were deleted by the AV utility. Depending on what they do, AV TSRs may not work with Windows 95. The only one I can speak for is Frisk's Virstop which we use here. It works fine. Windows 95 can and does intercept low-level disk writes to protect the long filename system. I've had it terminate several disk utilities of the Norton/PC-Tools genre. Joe Lawrence |"All opinions are mine, not Rockwell's" Engineering Support Services | To do is to be - Nietzsche Rockwell International | To be is to do - Sarte jfl@hobbes.cca.rockwell.com | Do be do be do - Sinatra ------------------------------ Date: Tue, 11 Apr 95 09:50:48 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Strange Request (PC) Dylan J. Greene (dylan@wam.umd.edu) writes: > I've been asked if there is any anon ftp sites where a user could > download/upload viruses. Yes, there are. There are many such sites and most of them allow free access to anyone to download viruses. In some countries this is illegal (e.g., Italy), but it is not in the USA. Legal or not, it is always irresponsible to distribute viruses without any kind of control. I urge everybody to boycot the Internet providers who do not take the necessary steps to remove such distribution sites. Netcom is one such provider. > My first feelings were "I hope not!" but Unfortunately, your hope is vain. Those sites do exist. > then I thought about the many virus protection developers. How do > they get samples of the latest viruses? Usually - not from such sites. We get our viruses mostly from people who send them to us. I, in particular, never download anything from any virus distribution sites as a matter of principle - doing otherwise would give those sites an excuse to exist. > Stemming off the first question is this one: Is there a such thing > as a virus that is not harmful (aka possibly helpful)? The short answer is: NO. For a long and eleborated treatment of this subject, see my paper "Are 'Good' Computer Viruses Still a Bad Idea?". You can get it in electronical form from ftp://ftp.informatik.uni-hamburg.de/pub/virus/texts/viruses/goodvir.zip > What if a TSR > was implemented as a virus, such as antivirus software that could > "spread" causing any program it came in contact with to posses the > ability to know if it had a virus before executing (or modified in > suspisious ways). This is harmful and useless too. The reasons for it are covered in my paper mentioned above. > Thanks for any insight. You're welcome. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 11 Apr 95 09:55:15 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Undetectable stealth viruses (PC) Friedli Paolo (Paolo.Friedli@com.mcnet.ch) writes: > But I have been told that it is possible to write PC viruses that > are virtually undetectable. Altough I was able to imagine the way > it could work, I was wondering if such viruses have already been > discovered. It depends on your definition of "undetectable". It is possible to detect any particular virus. However, some viruses can use techniques that are pretty evasive and no anti-virus product can detect all possible viruses. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 11 Apr 95 09:57:25 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: die hard 2 virus - help! (PC) c.j. knox (knoxcj@elec.canterbury.ac.nz) writes: > I have a computer here that is infected with the die hard 2 virus. > Neither F-Prot 2.15 nor McAffee scan (dunno what version - not > expired yet) have been able to remove it. How can I get rid of the > virus apart from "format c: /u", since the backups are probably > infected as well. In other words - HELP! Of all non-commercial programs that I know, the only one that can disinfect this virus is AVP. You can get it from our ftp site: ftp://ftp.informatik.uni-hamburg.de/pub/virus/progs/avp/ You need all files in that directory; the ones with the lots of numbers in their names contain updates. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 11 Apr 95 09:59:32 -0400 From: richardb@intecolor.com Subject: RE: WIN95 AV Software (PC) On 03/26/95, Robert Abruzzo (rabruzzo@ix.netcom.com) wrote: >Which currently available anti-virus programs are compatable or effective >with Win 95? I am currently using F-Prot V2.17 with WIN95 Final BETA (also Build 438 for those in the know) with no compatibility difficulties. During the last month, I have had a test jig infected with Stealth_Monkey_B and ANTIEXE and Stealth_boot_c (a variant that I did not know existed) with very positive results. F-prot cleaned and disinfected (and left a pleasant lemony scent) with no difficulty. >I am less interested for the moment with "shield" programs than I am with >scan and clean programs that I can start manually. I am most concerned >(obviously) about any unintentional damage that the cleaning programs >might do in unfamiliar territory. I do recommend that a WIN95 startup disk be created that contains the AV scanner (or whatever) so that you can be sure of a "clean boot". Incidentally - in all the virii noted above, WIN95 generated errors that helped me notice the infection. Like Windows, WIN95 is very resource hungry and will fail to execute if there is a virus in memory. Omniae viae ad mortis ducent All roads lead to death - yeah, I have my dark days. >` ))))>< ------------------------------ Date: Tue, 11 Apr 95 10:05:53 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: **Deperate for help!!!!!** Please read! (PC) Christopher Ray Aman (craman@unity.ncsu.edu) writes: > Two days ago, it fell ill with what my anti-virus > program calls a STEALTH_C virus. However, I have a scan/clean program from Mcafee > and it knows nothing about a 'STEALTH_C' virus. Then you have an old version of that program. McAfee's SCAN version 2.1.6 does know this virus and detects it reliable. I haven't tested whether it can disinfect it. In case it cannot, I would recommend you to use F-Prot - I *know* that it can disinfect this particular virus. > If anyone who happens to read this knows > anything about this virus, what it does, Essentially - nothing. It is a stealth MBR infector, a rather sloppily written one, which does nothing but replicate. > where it comes from, The original variant - Stealth_Boot.A - has been published in a book my Mark Ludwig, who teaches the people how to write viruses. Somebody of his readers has obviously picked the source of the virus which is published there, has modified it a bit, and has released it in the wild. You can contact Mr. Ludwig and explain him how much you appreciate his efforts to waste your time. > or how to get rid of it, The best way is to use an anti-virus program that can remove it. For instance - F-Prot. In the worst case, you can boot from a clean system floppy containing DOS version 5.0 or above and run the command FDSIK/MBR. This will remove this particular virus from your first hard disk. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 11 Apr 95 10:10:27 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Is Anti CMOS a virus? (PC) contekot@inforamp.net (contekot@inforamp.net) writes: > Anti CMOS was detect by Norton AntiVirus version 3.0. This > message did not show up when test by Central Point AntiVirus > for Windows. The PC is working fine. No problem has been report > yet. > What is Anti COMS mean anyway. Will it damage any file at all? AntiCMOS is a virus which infects the boot sectors of the floppies and the MBRs of the hard disks. It will not do any intentional damage to the files. CPAV is supposed to find it; if it doesn't, it might be a mistake from the part of NAV, instead of a real virus... Try to double-check it by running a better scanner (both NAV and CPAV are rather bad ones, especially CPAV). I recommend F-Prot. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 11 Apr 95 10:20:17 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Desperately need help cleaning DA'BOYS virus!! (PC) Adam Witas (awitas@ix.netcom.com) writes: > I have a very serious problem with a virus called DA'BOYS. Mcafee > version 1.5 detects it, but does not clean it. :-C > Norton is supposed to clean it, but I don;t have Norton. Does any one > have (or know where I can get) a virus cleaner that will kill DA'BOYS > virus? Thanks in advance! It is very problematic to remove this particular virus with an anti-virus program. You see, the virus infects the DOS boot sector, but does not save a copy of the original boot sector anywhere - so an anti-virus program cannot fetch the original copy and write it on its original place. The only way to remove the virus is to overwrite it with a known clean DOS boot sector which you get from somewhere else. Unfortunately, the DOS boot sector program is copyrighted, so the anti-virus programs cannot carry it within themselves - unless the producer of the anti-virus product has obtained a license from Microsoft or IBM. However, even this wouldn't help, because the different versions of DOS use different boot sector programs. True, versions 5.0 through 6.22 of MS-DOS all use one and the same boot sector program, but this is not true for PC-DOS version 3.30, for instance. It is even worse with the other brands of DOS - DR-DOS, Novell DOS, Compaq DOS, Zenith DOS, and so on. You can't just replace their boot sector with a MS-DOS 5.0 boot sector - or the disk will become unbootable. There is no way to write a "universal DOS boot sector" that would boot any DOS version - because the different brands of DOS expect different contents of the CPU's registers when the boot sector program transfers control to DOS. The most that could be achieved is to have a set of boot sector programs and to use the proper one depending on the target disk's DOS version - but this is rather clumsy and troublesome. A much better solution for your case (the Da'Boys infection) is to boot from a clean, write-protected diskette, containing the SAME DOS version that your hard disk is formatted with, and to run the command SYS C:. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 11 Apr 95 10:27:06 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: All experts please read and respond! (PC) Lesley Ogden, User Support Services, (803)953-6890 (OGDENL@Citadel.edu) writes: > a Novell Netware 3.11 network), I found strange things happening in memory > (MEM/C) with unidentified programs using approx. 5-6K of memory. In addition, [snip] > Based on these occurrences, I began scanning these computers for a > virus with other virus scanning programs (we normally run automatic scans with > Intel's VSCAND from the network when each computer boots) and detected a "trac > of TEQUILA" in memory using McAfee's VirusScan 2.1.1. [snip] > Then, less than one week later, all the computers in two different labs > began exhibiting similar symptoms (programs not running because of > insufficient memory). [snip] > F-PROT 2.16 (March) and the older January shareware No viruses detected > version using Secure and Heuristic scans on > the entire hard drive to scan ALL files [snip] > *This only occurred when the computer was booted from the hard drive - a > diskette boot comes up clean. This might mean that your machine is infected by a new virus, unknown to the scanners. I suggest that you boot from your supposedly infected disk, format a system floppy in drive A:, copy to it a few COM, EXE, and SYS files that you often run (for instance, the once you start from your CONFIG.SYS and AUTOEXEC.BAT files) and send this to some anti-virus researcher. > Norton's Antivirus (free Michelangelo edition) No viruses detected Don't use this. It detects only Michelangelo. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 11 Apr 95 10:45:58 -0400 From: richardb@intecolor.com Subject: RE: Windows 95 (PC) On 03/26/95, Steven Hoke (steven.hoke@expressl.com) wrote: > Since the ordering numbers were just released for the Windows 95 > preview, this sounds like a good time to ask. Are there any specific > problems associated with AV utilities and Windows 95, such as > disinfecting a file that has a long file name? What about problems > removing MBR infections? I seem to recall a message saying that there > would be an update for McAfee's SCAN that dealt with Win95 > compatibility, but are there really any specific problems between Win95 > and scanners and virus removers (I understand that its always better to > replace the file from archive copy if possible, rather than to disinfect > it). I am not experienced with McAfee with WIN95, but I have been using F-PROT V2.17 with WIN95 Final Beta (and build 438) and have not had any trouble with long filenames. The issue seems to have been brought up quite often, but there is no difficulty. Interestingly (?), MS has dropped any pretensions of AV scanning by not including MSAV any longer (I hear the sighs of disappointment). As I stated in an earlier post (oh, maybe 10 minutes ago), I have infected a test jig with several MBR virii (stealth_boot_c, Antiexe, and Stealth_Monkey_b) and have not had any trouble cleaning them off using F-prot. Hey - I'm not a marketing guy for Frisk, but I just haven't found any fault with F-prot and see no reason to switch now. AN ASIDE CONCERNING THE HEATED DEBATE: We are an U.S. Industrial Computer manufacturer and NEVER get a virus that has not been out in the world long enough to get a signature in the major scanners. Sure, maybe those guys that download .EXE's from alt.binaries.pictures.erotica.piracy.teen_hoods need a more heuristic approach - but the tried and true scanner has kept us clean for years! No - I do not buy what "propaganda" tells me to buy - I wait for Rush to tell me to buy it! Ein seliger Sprung in die Ewigkeit "A blissful leap into Eternity" - Hegel (NOT CALVIN KLEIN) >` ))))>< ------------------------------ Date: Tue, 11 Apr 95 10:46:01 -0400 From: richardb@intecolor.com Subject: RE: Re: Help with the stoned virus (PC) on 03/27/95, Christopher Coon (CCC1@ix.netcom.com) wrote: >bl787@freenet.carleton.ca (Jonathan Hawryluk) writes: > >>I have the stoned virus on my computer, or at least that is what a new >>version of f-prot says. It says I need to boot my computer with a clean >>boot disk. My problem is that I need to make a boot disk and can not >>remember how. If anyone could please help me. I would also like to know >>any side effects it has on my system, and any extra info on it. > >You need to copy the command.com file from a "clean" PC. Good Luck. NOTE: This will NOT (repeat - NOT) work. Copying the Command.com file to a diskette will not make it bootable. I recommend using wither the Format /s or sys a: commands (for information on using these utilities, consult your MS-DOS manual). For the literacy impaired: FORMAT A:/U/s - will format the diskette in A: drive and copy over the system tracks (the U is for an unconditional format so that you don't have to worry about the Unformat crud). SYS A: - will copy the system files onto a pre-formatted diskette - BUT it is possible that this command will fail due to "no room for system information" - in which case use the previous technique. In both cases - make sure that you perform the operation on a KGB (Known Good Boot - what else could it stand for???)! Seems funny to me that this information is not contained in a FAQ!!! Is it just me - or are many of these posts mind-numbingly redundant? In the sweetness of his sorrow he possessed his delusive expectation - Soren Kierkegaard, Fear and Trembling >` ))))>< ------------------------------ Date: Tue, 11 Apr 95 10:52:31 -0400 From: cdavis@usit.net (Chuck Davis) Subject: Re: /\/\ Can't get that Stupid Stealth_C virus off!! /\/\ (PC) >> I tried using the McAfee 2.16 but i still can't remove it! I >>followed the instructions and used clean boot disks... > >I recently had this virus, and Mcafee 2.2 for windows worked. I think >I got this version from FTP.Mcafee.comp. > I too experienced this virus and used McAfee 2.2 DOS version and was successful. I did notice, however, I had to search through several boot diskettes to find a clean one. Once I had a clean boot, all was ok. If any one can tell me what this virus will do or cause, I would like to know. Good Luck! > ============================================================================== | Electronic Presentation Systems Chuck Davis | Touch Screen Information Kiosks Multi-Media Solutions, Inc. | Tourism Specialty Software | cdavis@usit.net | (Voice) 615-681-2573 | (FAX ) 615-681-2574 ============================================================================== ------------------------------ Date: Tue, 11 Apr 95 11:08:19 -0400 From: swidlake@rl.ac.uk (S Widlake) Subject: Re: Caution: Some copies IBM's Disk Mgr 6.0.3 may be infected. (PC) Israel Kay <100112.2001@compuserve.com> writes: >Chris Riordon (chrisr@globalx.net) writes: >> IBM Canada shipped me a copy of Disk Manager 6.0.3 which permits >> users to manage DOS partitions larger than 1024 cylinders). >> It needs to be booted in order to work, and the floppy's MBR >> (Master Boot Record) and boot sectors contain, at no additional >> charge, a free copy of the Neuville (2KB) virus. The "floppy's MBR" (if you can say that?) and its "boot sector" are the same thing. >> The infection is hopefully local (this software was shipped by >> IBM Canada, likely from Montreal). >> Moral of the story is... don't trust =anything= regardless of >> source. >Are you 100% sure that you did not infect the diskette yourself by booting >from it, without ensuring it was write protected. Ooops... I think you meant to say something along the lines of... Are you 100% sure that you DID infect yourself BY booting from it, AND are 100% sure that YOU didn't infect this floppy disk yourself by write-protecting it as soon as you got it - ie. before you even thought about putting it into your (possibly infected) PC. [With "it" in each case being the "infected" floppy disk from IBM] The only way you could convince me that this infection came from IBM is if the floppy was "permanently write" protected (but a bit of tape would get around that, so I'd have to trust you here) and that none of your own floppy disks, that have not been used since "the incident", are infected. I had a recent, similar "brush" with a disk from Micro$#*t (No I won't say it)... turned out to be the software distributor that was at fault by lending out "evaluation copies" before re-shrink wrapping the whole thing and then selling it on - not M$'s fault at all. [shame, really] FYI - This was the _only_ infected disk... well done, GUARD :-) S. - - -- sig II Still Under Construction ... ------------------------------ Date: Tue, 11 Apr 95 11:11:47 -0400 From: wolberg@chemie.uni-oldenburg.de (Michael Wolberg) Subject: Re: Virus that screws up WFWG 32-bit disk access? (PC) >- -> "The Microsoft Windows 32-bit disk driver (WDCTRL) cannot be loaded. >- -> There is unrecognized disk software installed on this computer. Can it be that every (boot-sector-) virus, which hooks the INT $13, causes this message ? MiWo ------------------------------ Date: Tue, 11 Apr 95 11:14:07 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Hardware Virus Protection - EMD Armor Plus (PC) EMD Enterprises (emd@access.digex.net) writes: > That is why scanners and TSRs, > which can only be loaded in config.sys and autoexec.bat, are ineffective > against boot viruses. That's not completely true. A TSR scanner will detect a boot sector virus known to it when the user accesses the infected floppy, or when the user presses Alt-Ctrl-Del with an infected floppy left in drive A:. Also, in most cases the scanner will be able to detect that a boot sector virus is in memory, if you boot from an infected hard disk. While protecting the boot sectors via hardware is still better, I would hardly call the protection provided by the TSR scanners "ineffective". > You raise a good point here. One common criticism against activity > monitors like EMD Armor Plus has been that these are prone to giving > false alarms, and this creates a temptation to disable the protection > altogether. When we designed EMD Armor Plus, we made sure to reduce > instances of false alarms to almost zero. This was not my experience when I played with your product at the Hannover fair. It raised an alarm when I just tried to execute the COPY command. I would hardly call this a "zero false alarms rate". > EMD Armor Plus has a unique > feature called "Immunization with Special Permissions". What's so unique about it? Assigning permissions to the programs on the system has been known for years in the mainframe world. Ever heard of "discretionary access control" or of "access control lists"? > You can give > permissions to programs like compilers, which frequently write to > executable files, to proceed without raising false alarms. Incidentally, there is a virus (Compiler) which infects files exactly at the moment when the compiler (or linker) is creating them. Such viruses are called "slow infectors" and are a serious threat against the integrity checkers and the behaviour blocking programs - just like the polymorphic viruses are a threat for the scanners. > Similarly, > user specified programs like FORMAT, SMARTDRV, utility programs can > access hard disks directly. So, what about a boot sector virus which infects only when the boot sector is being written to? FORMAT and SYS write the boot sector, so you have to allow this programs to do so. But if you do so, then the virus will infect each time you are formatting a floppy. > THIS DOES NOT REDUCE THE PROTECTION LEVEL > OF THE OVERALL SYSTEM IN ANY WAY. I do not think so. > This feature is rather unique to EMD > Armor Plus. It certianly isn't. There are plenty of other access control products which do the same thing. Some of them are based on a design more secure than your product. For instance, your product is just a BIOS extension. Another product, called ExVira, attaches itself electrically *between* the hard disk and the motherboard and also between the keyboard and the motherboard - thus ensuring that it cannot by bypassed. > On the other hand, scanner based software products are not exactly > free from false alarms either. One only has to follow the comp.virus > and alt.comp.virus newsgroups to get an idea of the chaos and confusion > prevailing among users due to the false identification of viruses by > the leading scanner based programs. The fact is, scanners nowadays have > to rely more and more on heuristic scanning in order to be able to > detect the newer sophisticated viruses. As a result the scanners are > prone to raising alarms whenever they think the code MIGHT be a virus. While true for many scanners, it is not true in general. You really ought to get some more insight about how the different anti-virus products work and should not put all scanners in the same bag. For instance, have you ever heard about a false positive caused by FindVirus or by AVP? No, because those scanners decrypt even the most sophisticated viruses and perform an exact identification on them. Also, have you heard about a false positive caused by IBM AntiVirus? No, because the scan strings used in this product are constructed using a scientific model which minimizes the probability of a false positive. If you want to learn more about this, take a look at the paper ftp://ftp.informatik.uni-hamburg.de/pub/virus/texts/viruses/immune.zip > It is tough to be cheaper than something that is free :-) However, > EMD Armor Plus is very competitively priced (in most cases cheaper) when > compared to commercial anti-virus software when the cost of periodic > updates is included. I keep hearing this "cost of periodic updates" argument. However, in most cases it is bogus. Most scanner producers sell you a period of automatic free updates for their product - two years is not uncommon. Are you claiming that the user will not have to update your product in two years?! C'mon, I have updated even my CPU during this period... :-) > Your comment that file infector viruses are more common is indeed > correct. No, it is not. File virus are more *numerous*, not more common. Boot sector viruses, although much less numerous, are much more common. > However, although relatively small in number, boot viruses > are responsible for the majority of virus related disasters, Yep, exactly. > largely > because scanner based software products are of limited use against > them. Rubbish. No, of course not. The real reason is that that there are much more carriers for boot sector viruses than for file viruses. You see, viruses spread mostly via floppies. Not all floppies contain executable files, but every formatted floppy contains a boot sector that can be infected. Also, some people are careful enough not to execute the files they see on other people's diskettes, while they often forget a "data-only" or a "blank" diskette in their A: drive. If everybody sets their computers to always boot from the C: drive, boot sector infections would be much more rare. > Sophisticated viruses employing encryption/stealth techniques do > not present any special challenge for EMD Armor Plus. This is because > EMD Armor Plus looks for the activities that are typical of viruses, > and does not focus on their appearances as scanners do. This is perfectly true. Encryption and polymorphism is a powerful technique against *scanners* ONLY. Integrity checkers and behaviour blockers have no trouble whatsoever to deal with them. A powerful attack against the latter are the slow viruses - which, from their part, pose no threat whatsoever to the scanners. > Not all files that are infected by viruses can be cleaned. The cleaning > procedure does not work even for many known viruses. Often times > viruses corrupt files to such an extent that the only option is to > delete the files and restore them either from a back-up, or the > vendors' original installation floppies. THIS IS TRUE FOR ALL CLEANING > PROGRAMS. In fact, most experts recommend that a virus infected file be > deleted and restored from a back-up even if it is possible to clean it. I also tend to agree with the above - replacing the infected files is always better than trying to disinfect them. However, this does not mean that all anti-virus programs are equally bad in disinfection. For instance, F-Prot, AVP, FindVirus are much better than most of the others. > As regards reviews, EMD Armor Plus was reviewed by the PC Plus > magazine in the December, 1994 issue and received a score of 5 out of 5 > and was awarded the PC Plus Recommended status. The product was also > featured in an article in the Computer Reseller News in May, 1994. I am not impressed. I have seen even such crap like CPAV to receive the "Editor's Choice Award" of magazines like BYTE. I don't trust such "reviews" as they are often done by people who are good reviewers of general-purpose products, but are completely incompetent when it comes to computer viruses. For an alternative view on your product, the readers of this forum should refer to "Virus Bulletin" of November 1994. > All this is understandable, and > we welcome the debate. It's good to hear that you understand it and that you welcome the dabate. For some time I was left with the (obviously wrong) impression that you'd rather threaten to sue somebody who happens to disagree with your oppinion on your product, instead of debating with him... :-) Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 11 Apr 95 11:19:42 -0400 From: selva@selv.pc.my (selv) Subject: Die Hard 2 (DH2) Virus (PC) I happen to have come across DH2 virus. Could anybody suggest a free/ shareware Anti virus prrogram which will clean my files without deleting them. (I know Armour can do it, but it costs an arm and a leg too to buy). regards selva@selv.pc.my ------------------------------ Date: Tue, 11 Apr 95 11:37:39 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Help: GNEB Virus (PC) Robert Casas (rc.casas@ix.netcom.com) writes: > > I assume you mean GENB, this is McAfee-speak for "we don't know > > the name of this virus". > >> Can anyone help me with this? > > If they don't know what it is, then you can't tell us what it is, > > and we can't tell you what to do. > Not quite, correct, though in general useful advice if you depend on > antivirus tools that need to have a signature of a virus to detect it and > recover and restore your system. > On the other hand, if you use a primarily generic ( not specific to a > given virus ) product you do not need to know the name of a virus to deal > with it effectiveley. Now, now, now, let's be a bit consistent, shall we? Whe original poster who was asking a question was told by the anti-virus tool he used that he has a *generic* boot sector virus. That is, he wasn't told which particular virus he had. His natural reaction was "So, what the heck does this virus do?". *ONLY* a virus-specific anti-virus program, such as a good scanner that performs exact identification, would be able to help him answering this question. *NO* generic product - heuristic analyser, integrity checker, behaviour blocker - would be able to tell him which particular virus he has and what does this virus do. This is one of the main drawbacks of the "generic" tools you are promoting. They tell the user "you seem to have a problem that might be caused by a virus". "Well, so *is* it a virus?" "Ugh, probably, yes". "So, *what* does it do?" "Ugh, dunno." > This is a myth that has been promoted by virus-specific product > manufacturers because that is the only way _their_ products can deal with > viruses. Rubbish. The myth is that the generic anti-virus products can help in a situation when the user is asking virus-specific questions and you are promoting this myth right now. > Download InVircible by ftp from: NO, DO NOT!!! I have discovered that InVircible is in fact a dangerous TROJAN HORSE, which sometimes INTENTIONALLY destroys your data. I will post a separate message on this subject. Watch this space. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 11 Apr 95 11:52:48 -0400 From: richardb@intecolor.com Subject: RE: Re: Virus that screws up WFWG 32-bit disk access? (PC) On 03/28/95, Tina Tindall (tinat@uidaho.edu) wrote: >gwb@xs4all.nl (Jerry Britton) writes: >- -> >- -> Anybody seen a virus that screws up Widows for Workgroups 3.11 32-bit disk >- -> access? I booted my PC one day, only to receive the message: >- -> >- -> "The Microsoft Windows 32-bit disk driver (WDCTRL) cannot be loaded. >- -> There is unrecognized disk software installed on this computer. >When I get this message, its about a 99.9% chance I've got the NewBug/AntiEXE >virus back on my computer (we've been fighting it here in our college for >about 6 months now). I just clean it off, and viola, everything works fine >again. In fact, many MBR infectors will give the error noted above. I have personal experience of Stealth_boot_c causing the EXACT same error. In fact, almost any program that futzes with the MBR can give an error with 32-bit disk (and/or file) access. Interestingly (???), older versions of the Disk Manager software also generate this error, as do some CD-ROM drivers, disk compression utilities, etc, etc. It is impossible (IMHO) to determine the virus from the WIDOWS error messages. BTW - my wife believes that she is one of those widows for workgroups. Windows world + Comdex = WINDEX >` ))))>< ------------------------------ Date: Tue, 11 Apr 95 11:54:56 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Remove stealth virus - it's easy (PC) Zvi Netiv (netz@actcom.co.il) writes: > Copy a few clean files to a floppy in a clean machine, then run IVB, > InVircible's integrity analyzer on that floppy, to initialize its > signatures database. Have a copy of IVB.EXE on the floppy. > Now take the diskette to the infected machine and run a few programs > from the floppy. Finally run IVB to check its own floppy. > If IVB reports increased files, then the virus isn't stealth at all. > If IVB reports changes but no increase in file size, then it's a > semi stealth virus. But if no changes are reported at all, then it's > a full stealth virus. Or you don't have a virus at all. :-) > hard drive (or from the server). Run a clean copy of IVB /R (restore) > on the affected drive (or server) and all files will be restored to the > byte in no time. "To the byte"? You have no way to know this. IVB does not compute a checksum of the whole file, so after it has performed its restoring functions, it has ABSOLUTELY NO WAY to determine whether the file has been restored "to the byte" to its original state. Here is how the users of InVircible can verify my claim. Take some moderately big file, put it in a single empty directory, and run IVB/S on it. It will create a 66-byte file named IVB.NTZ, containing some information about the file. Rename this file to something else, say IVB.OLD. Now, use a hex editor to modify the executable file somewhere in the middle. Make sure that the modification is not within the first 28 bytes of the file if it is a COM file, and not within the first 3 bytes after the initial JMP if it is a COM file. If it is an EXE file, avoid modifying the 26 bytes after the 'MZ' identifier in the EXE header, or the 2 bytes after the file entry point (pointed at by the CS:IP fields of the EXE header). Make sure to use a hex editor that does not modify the time and date of last update of the file - for instance, Norton's Disk Editor. Now, run IVB /S once more. It will create another IVB.NTZ file. Now compare IBM.NTZ with IVB.OLD. You'll find that the two files have exactly the same contents. How could it be, if they are computed on executable files with different contents? Simple, IVB does not store a checksum of the whole file. Therefore, it has no way to detect whether the file has been restored to its original contents "to the byte" - because it has no information about this original contents. > Since the above method is not an algorithmic scanner's one, then it is > error free, regardless of whether the virus is known or new. It is far from error free. > Common viruses that can be cleaned by cooperative recovery are Natas, > Tremor, 4096 (Frodo) and from newer vintage, Hemlock. There are of Tremor? I got the impression that InVircible does not detect Tremor at all... I have to do some more tests; stay tuned. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 11 Apr 95 12:38:47 -0400 From: JLINDER@ccmail.turner.com (Jack Linder) Subject: Form Virus (PC) I go hit with the Form virus. More specifically, Intel's VSAND reports it found virus 'Form' in the boot sector. I think I have it cleaned out, and am scanning all disks/floppies, etc, but I have a question. What does this virus do, how sure should I be that I got it out? (Scanners show it to be cleaned out). Jack Linder jack.linder@turner.com ------------------------------ Date: Tue, 11 Apr 95 13:34:32 -0400 From: neil@cooper.dungeon.com (Neil Cooper) Subject: Macafee 2.20 (PC) Where can I get Macafee 2.20 for Windows ? Any help would be good. Thanks Neil Cooper neil@cooper.dungeon.com [Posted with Free Agent 0.46. For info, email agent-info@forteinc.com.] ------------------------------ Date: Tue, 11 Apr 95 15:04:07 -0400 From: Kathleen.Gordon@hammer.msfc.nasa.gov Subject: Re: Norton Anti-virus updates? (PC) jdopp@pipeline.com (Jason Oppenheim) writes: >Anyone know how I can get the latest virus lists for NAV Their BBS (503-484-6699 for 300/1200/2400, and 503-484-6669 for 9600) has what you're looking for. Note that the latest virus list requires that you also get a copy of 3.0's patch file -- in which case, figure on spending some time getting it all. Connecting at 9600 still took me about 45 minutes recently for both. I'm hoping someone responds to say Symantec has an FTP site now ... - -- Kathleen Gordon Voice (205) 544-7656 NASA/Marshall Space Flight Center kathleen@ranger.msfc.nasa.gov ------------------------------ Date: Tue, 11 Apr 95 17:09:43 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: InVircible is a Trojan Horse! (PC) Hello everybody, Recently there has been a lot of hype about the anti-virus product called "InVircible" produced by Zvi Netiv from NetZ Computing Ltd., Israel, and distributed as shareware by several companies - mostly in the USA. The author of the product is trying hard to push it, using methods that, according to some, are at least questionable from the business ethics point of view. He regularly posts to many virus-oriented public forums, advertizing his product as "the ultimate defense against computer viruses" and often engages in rather low bashing of the products of his competitors and the competitors themselves. Even independend anti-virus researchers who do not agree with his opinion on his product have not escaped his personal attacks and character assassination tactics. I have begun to analyse the product in details, in order to verify whether it indeed meets the producer's claims and, if not, to warn its users about. This verification and analysis is still in progress. When it is ready, I will publish a paper containing the results I have obtained. However, while examining the product, I have determined that in some situations it INTENTIONALLY DAMAGES the user's data - just like a Trojan Horse - and have considered this discovery important enough to publish a warning message before the final paper is ready. While I was doing the tests, a minor disaster happened. As you probably know, I am Bulgarian. I am also closely affiliated with the Laboratory of Computer Virology, at the Bulgarian Academy of Sciences in Sofia. I often send there software obtained from different shareware sources, information about viruses, and so on. To keep track of this information, a record is kept in a text file, named SOFIA in one of the directories on the disk. While I was examining the programs from InVircible and running them, I discovered that this file had suddenly disappeared. The DOS command UNDELETE seemed unable to recover it. While this was annoying, I always keep good backups and was able to recover the file. At that time, I decided that I have accidentally deleted it by mistake - although it didn't seem very likely. To my surprise, the next time I executed one of InVircible's programs while the file SOFIA was in the current directory, that file disappeared again - and again it was not possible to undelete it. This time I became very suspicious and used a monitoring program to watch what exactly the programs from InVircible do when executed. I discovered some very troubling things. First of all, every single program from the package that performs a self-check, when started, deletes a file named SOFIA in the current directory. Second, some of the programs (IVINIT and IVB) also destroy a file named WRITEST in the root directroy of the current drive. This happens every time those programs are run - regardless of whether those files exist or not. Since the self-checking mechanism also involves the creation of some files (decoy launching), the disk is being written to before the program has terminated. This usually results in UNDELETE being unable to recover the destroyed files. I do not know what the author of InVircible has against a file named after the capital of my native country. Nowhere in the documentation does he explain why those two files are deleted - and even does not mention that such a deletion takes place. The destruction of those files is undoubtedly intentional and the user is never offered a chance to save them - or even informed about the intention of the product to destroy them. I was lucky to have backups, but for some other users this behaviour of the product can easily result in the irreparable lost of precious data. This makes me classify InVircible as a Trojan Horse destroying data and I strongly discourage the users from ever using any programs released by the same author. Indeed, I discovered the very same damaging code in two other products of his - his infamous AVPL (the product that creates "immasculated viruses") and the set of utilities FIXBOOT, SWAPBOOT, and XMONKEY. AVOID THE PRODUCTS FROM Zvi Netiv and NetZ Computing, Ltd. - or your data is at risk. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ End of VIRUS-L Digest [Volume 8 Issue 37] *****************************************